Overview

On 18 March 2026, the Prudential Regulation Authority (PRA) published Policy Statement 7/26 (PS7/26) setting out final rules and policy materials to be implemented 18 March 2027.

PS7/26 incorporates conclusions from responses to the December 2024 Consultation Paper 17/24 (CP17/24) which proposed to establish a policy for reporting of operational incidents and reporting of material third party arrangements (MTPs).

Current Approach

Currently, firms must notify the PRA of certain incidents and outsourcing arrangements under existing rules, including maintaining outsourcing registers. CP17/24 proposed enhanced requirements for reporting operational incidents, including:

Defined thresholds,
a three-phase reporting approach, and
specified data requirements.

It also expanded notification rules to capture material third-party (MTP) arrangements more accurately.

The PRA has finalised its policy after considering industry feedback, publishing responses and outlining any significant changes made following consultation.

Final Rules

The PRA recognised areas where modification of the proposed rules was appropriate.

1. Operational Incident Reporting

Firms must report operational incidents that meet PRA-defined thresholds (e.g., safety, soundness, financial stability).
Process Change:
- CP17/24: Submit three separate reports (initial, intermediate, final).
- PS7/26: Submit one report completed in three phases
Reporting is to be completed via FCA Connect in both cases.

Implications for firms – the final policy is a simpler, more streamlined approach that is intended to require less regulatory resource.

2. Material third-party (MTP) notifications

Scope to be expanded:
- CP17/24: Only high-risk MTP arrangements require notification.
- PS7/26: All MTP arrangements must be notified.

Timing of notification remains the same:
- Notify before entering or materially changing arrangements.
Process improvement:
- CP17/24: Email to supervisor.
- PS7/26: Standardised via FCA Connect.
Firms to assess frictions to monetisation, including market constraints, operational delays, governance processes, and the impact of unrealised losses on capital.
Conduct more comprehensive internal assessments of monetisation risk.

Implications for firms – all MTP arrangements now require notification, removing some of the definitional challenges surrounding ‘high-risk’ MTPs. The process for notification has changed and is now to be completed through FCA Connect in a more direct method of notification.

3. MTP Register Requirements

Firms must maintain and submit an annual register of all MTP arrangements.
Submission is via FCA RegData.
The purpose of this is to provide regulators with a comprehensive view of third-party dependencies.

4. Frims in Scope

CP17/24:
- Banks, insurers, and PRA-designated investment firms.
- Credit unions only included for certain requirements.

PS7/26:
- Scope is aligned across all requirements, covering:
  - Banks and PRA-designated investment firms.
  - Insurers (including Lloyd’s and managing agents).
  - Only applies to Credit unions with ≥£50m assets.

Implications for firms – only Credit Unions with total assets of greater than £50 million are required to submit an annual register.

How We Can Help

Firms may face challenges when determining whether operational incidents meet PRA-defined thresholds or developing their internal risk frameworks for operational incidents. At Katalysys, we have a deep understanding of operational risk, and the measurement, monitoring and management thereof. We have supported many clients with the development of their internal risk frameworks with respect to a range of operational risks.

For further information please contact: