The Financial Conduct Authority (FCA) has confirmed a sweeping overhaul of its incident and third-party reporting requirements, making existing frameworks clearer, more consistent, and easier for firms to follow.
The changes, published on 18 March 2026, give regulated firms 12 months to prepare before the rules come into force on 18 March 2027.
The regulatory update comes amid a sharp rise in cyber threats facing the UK financial sector. Cyber attacks are becoming more frequent and sophisticated, with firms increasingly reliant on third-party providers.
Critically, over 40% of cyber incidents reported to the FCA in 2025 involved third-party services, with high-profile outages from Cloudflare and AWS highlighting how vulnerable the sector can be when key providers go down.
The FCA acknowledged that firms have not always reported incidents consistently, and that the industry had called for greater clarity on what to report and what information to provide. Following a consultation in December 2024 on clearer, more structured reporting frameworks, the regulator listened to feedback and streamlined its final reporting requirements to reduce unnecessary burden, while ensuring it receives the information needed to assess impact early and respond effectively.
Among the key changes introduced, the FCA has created a simple, streamlined reporting regime with the Prudential Regulation Authority (PRA) and Bank of England, including a single reporting portal, and removed duplicative incident reporting for payment service providers and credit rating agencies.
The regulator has also significantly reduced the information requirements for the majority of FCA solo-regulated firms and credit unions by moving to a single short form with just 10 required questions. Clearer guidance on thresholds, definitions and responsibilities has also been added.
FCA director of specialists and wholesale sell-side Mark Francis said, ‘Resilience is being tested like never before, with firms facing growing cyber threats and increasing reliance on third parties to deliver the essential financial services consumers rely on. These changes give firms clearer rules and practical guidance to better manage disruption, while supporting our ambition to be a smarter regulator, giving us better data to spot risks, share insights and strengthen sector-wide resilience.’
Beyond immediate incident response, the FCA set out its longer-term ambitions for the data collected under the new framework. Over time, the data will be used to share insights and trends to help firms bolster their operational resilience and share relevant information with industry during widespread disruption, particularly in stressed market conditions.
Where disruption originates at a third party, the data will help the regulator see through firms’ supply chains to identify which services are most exposed, and help identify potential critical third parties to the UK financial system.
Alongside the final rules, the FCA is publishing Finalised Guidance for both incident reporting and third-party reporting. This includes clear examples of what firms should report, help applying the thresholds, and guidance on completing the incident form and third-party register — all in direct response to feedback from industry seeking greater clarity and practical support.
The FCA will also host a webinar on 29 April 2026, giving firms the opportunity to learn more about the new framework and put questions to the regulator.
Keep up with all the latest FinTech news here
Copyright © 2026 FinTech Global
