The Prudential Regulation Authority (PRA) has published a new Consultation Paper, CP17/24 – Operational Resilience: Operational Incident and Outsourcing and Third-Party Reporting. This paper outlines the proposed rules and expectations for firms to report operational incidents and disclose details about their material third-party arrangements.

The proposals are a pandemic-delayed response to a 2019 Treasury Select Committee report into various IT failures in the financial services sector, including the case involving TSB, which we explored in our article “TSB Operational Resilience Fine – What Lessons Can Insurers Learn From This?”. We are now seeing the formal regulatory response to those issues.

Stakeholders have been invited to submit feedback on these proposals by Friday, 14th March 2025.

Key Proposals in the Consultation Paper

The consultation focuses on two critical areas of operational resilience: operational incident reporting and outsourcing and third-party reporting. Both areas aim to enhance the regulatory oversight of operational risks, particularly those arising from external service providers – and not just those involved in the provision of IT services – or material incidents affecting firms’ ability to deliver essential services.

Operational Incident Reporting

Under the proposed rules, firms will be required to notify the PRA if they experience an “operational incident.” These incidents are defined as:

“..an ‘operational incident’, which is defined as either a single event or a series of linked events which disrupts the firm’s operations such that it:

• disrupts the delivery of a service to an end user external to the firm; or

• impacts the availability, authenticity, integrity or confidentiality of information or data relating or belonging to such an end user.”

In other words, a scenario that result in significant disruption to the delivery of services to external end-users, primarily customers. The incidents may also involve the compromise of information—whether through availability, integrity, confidentiality, or authenticity—related to those customers or other end-users.

The proposals emphasise that firms should only report incidents that pose a material risk to the PRA’s statutory objectives, namely the safety and soundness of firms and financial stability. For firms that have already taken steps under the PRA’s Operational Resilience framework, such as identifying Important Business Services (IBS) and setting Impact Tolerances, these existing structures and processes will assist in meeting the new reporting requirements.

Importantly, the reporting obligation is not intended to encompass every minor operational disruption. Instead, it is focused on incidents that could have systemic implications, which aligns with the PRA’s goal of ensuring that firms can maintain critical functions in the face of operational challenges. The PRA has defined specific thresholds to ensure clarity for all firms around what it considers to constitute a threat to its statutory objectives.

This section of the proposals applies to:

• UK banks, building societies, PRA-designated investment firms and branches of overseas banks (‘banks’); and
• UK Solvency II firms, the Society of Lloyd’s and its managing agents (‘insurers’).

Outsourcing and Third-Party Reporting

The second major area of focus is the reporting of third-party arrangements, including both outsourcing and non-outsourcing relationships. The increasing reliance on third-party providers by firms raises new risks, particularly around operational disruptions originating from outside the firm. Such disruptions could compromise firms’ safety and soundness, undermine policyholder protection, or threaten the broader financial stability of the UK.

In recognition of this growing dependence, the PRA is proposing to standardise the reporting requirements for third-party arrangements, ensuring consistent, high-quality, and comparable data across the industry. This will enable the PRA to more effectively monitor potential risks and vulnerabilities associated with third-party service providers. By improving its ability to assess firms’ reliance on key third parties, the PRA aims to enhance its understanding of the risks associated with concentration of services or dependencies on particular providers.

The proposals will apply differently depending on the type of firm, with distinctions made between Other Systemically Important Institutions (O-SIIs) and Solvency II firms. This tiered approach reflects the PRA’s commitment to ensuring that regulatory requirements are proportionate to the risk profile of firms, while still capturing critical information on third-party dependencies.

This section of the proposals applies to all PRA-regulated firms.

Implementation Timeline and Next Steps

The PRA has indicated that any finalised rules stemming from this consultation will not come into effect until the second half of 2026 at the earliest. Whilst there is no immediate action required from firms unless they wish to respond to the PRA’s consultation and provide feedback on the proposals, firms may want to start considering how these requirements, if finalised, would impact their current operational incident reporting processes and third-party management frameworks.

Firms that wish to contribute their views are encouraged to submit feedback by 14th March 2025 via the PRA website.

A Note About Blueprint Two

In any scenario where the implications of reliance on material outsourced services are being considered, thoughts will inevitably turn to the significant technology-focused change programme currently underway for London Market firms. Affecting firms within and outside the ambit of PRA regulation, the web of inter-dependencies will inevitably lead to questions about the way these new regulations might affect those involved with Blueprint Two. In our view it most certainly will be within scope and any firm affected, would be well advised to carefully consider how it would address this. It can be in no doubt that the PRA will have Velonetic as the core outsourced service provider firmly in its sights as the provider of third-party services which, if a disruption to those services were to arise, could have material consequences. Velonetic and their partners will be well aware of that and themselves taking actions to mitigate those risks and assist their clients in doing so.

Conclusion

The PRA’s Consultation Paper CP17/24 marks a significant step in enhancing the operational resilience of financial institutions by tightening the regulatory framework around operational incident reporting and third-party arrangements. As firms continue to rely on outsourcing and third-party services, these proposals aim to safeguard the safety and soundness of individual firms and the systemic stability of the UK financial system as a whole. The proposed rules reflect a broader effort to ensure that firms are prepared for operational disruptions and can respond effectively to incidents that pose risks to end users and critical services. Those firms that have already completed the transitional phase work of the Operational Resilience requirements will find themselves well-placed to respond to these proposals if implemented broadly as currently outlined. (You can read our various articles about Operational Resilience here.)

The PRA should also be commended for its conscious efforts to minimise the cost and burden of these proposed regulations for firms by re-using existing standards and definitions where possible, providing clear and consistent standard guidance and alignment with other regulators.

Although the full implementation of these proposals is not expected until at least the second half of 2026, firms should begin assessing their current frameworks for incident management and third-party oversight. This is particularly relevant for PRA-regulated firms and their partners, such as Brokers and MGAs, who may be indirectly impacted through new reporting requirements from capacity providers, particularly where they rely on connected IT platforms. Early preparation will help firms adapt to any forthcoming changes and ensure they remain compliant with evolving regulatory expectations.

For now, firms should focus on ensuring their Operational Resilience work remains up to date, understanding the potential implications for their own operations, and considering whether they wish to submit any feedback to the PRA before the March 2025 deadline. This proactive approach will help firms navigate the regulatory changes while maintaining robust operational resilience.