With the FCA’s Policy Statement on CP24/28 expected shortly, financial services firms should advance preparations for changes to operational incident and third-party reporting. Although implementation is not expected until the second half of 2026, early preparation will help firms manage implementation more effectively once the final rules are confirmed.
What is CP24/28?
CP24/28 addresses a persistent problem: firms don't know when and how to report operational incidents to the FCA. Following feedback from the 2022 Transforming Data Collection programme, the regulator found that many firms were unclear about how and when to engage regarding incidents.
The consultation introduces two frameworks:
- Operational incident reporting with clear thresholds and standardised processes
- Material third-party arrangement disclosure to address concentration risk
Who Does This Apply To?
Operational Incident Reporting: All directly regulated firms, payment service providers, UK Recognised Investment Exchanges, registered trade repositories and registered credit rating agencies. Proportionality measures protect smaller firms from disproportionate burden.
Third-Party Reporting: Enhanced-scope Senior Managers and Certification Regime (SM&CR) firms, banks, PRA-designated investment firms, building societies, Solvency II firms, and large firms subject to the Client Assets Sourcebook (CASS). It also applies to UK recognised investment exchanges (RIEs), authorised electronic money institutions, authorised payment institutions, and consolidated tape providers.
What's Changing?
Clear Incident Definition and Thresholds
For the first time, the FCA defines an operational incident as any event or series of events that disrupts operations by interrupting service delivery or compromising data integrity.
Three proposed reporting thresholds:
- Consumer harm – intolerable harm where recovery is difficult or impossible
- Market integrity – events threatening UK financial system stability
- Safety and soundness – disruptions risking firm viability or affecting other participants
The FCA provides practical case studies rather than prescriptive metrics, demonstrating how thresholds apply across different scenarios.
Standardised Three-Stage Reporting
More standardised and structured reporting processes will replace the current fragmented approach:
- Initial notification when thresholds are breached
- Intermediate updates as situations evolve
- Final report following resolution
This recognises that complete information isn't immediately available while enabling near-real-time monitoring.
Beyond Traditional Outsourcing
Current rules only capture outsourcing, but many incidents originate at third parties in non-outsourcing relationships. Firms must now maintain annual registers of "material third-party arrangements" - any relationship where disruption could cause intolerable client harm, threaten system integrity, or jeopardise threshold conditions.
Board members and senior management will be expected to provide effective governance and oversight of these relationships in line with the SM&CR framework.
What This Means for FS Firms
Immediate Actions
With implementation expected in H2 2026, firms should use the available lead time to prepare:
- Map current incidents to proposed thresholds to understand reporting triggers
- Assess third-party relationships to identify which qualify as "material"
- Strengthen governance structures for Board and senior management oversight
- Evaluate technology capabilities for the FCA's new automated platform
The Broader Context
CP24/28 doesn't exist in isolation. It follows the March 2025 operational resilience deadline and aligns with the FCA's November 2024 critical third-party framework. Firms that treated operational resilience as a "once and done" exercise are discovering it's an ongoing discipline.
From Burden to Opportunity
The FCA notes that structured data collection will enable industry insights and benchmarking. Firms embedding robust incident management and third-party governance early aren't just preparing for compliance - they're building capabilities that differentiate them in an increasingly digital and scrutinised financial ecosystem.
Practical Next Steps
With the Policy Statement expected shortly:
- Complete gap analyses against proposed requirements
- Engage technology and risk teams on system requirements and data collection
- Review third-party risk frameworks to capture non-outsourcing arrangements
- Ensure senior leadership understanding of expanded oversight responsibilities
- Develop implementation roadmaps assuming H2 2026 effective date
How We Can Help
We’ve been supporting financial services firms for years, helping them turn operational resilience requirements into practical action. Get in touch with our team to support your CP24/28 preparation.
.jpg?width=1024&height=1024&name=Parliament%20%26%20Cyber%20Conference%20-%20Nov%2025%20(1).jpg)
