What the FCA’s new incident and third‑party reporting rules mean amid rising cyber risks

On 18 March 2026, the FCA confirmed major updates to incident and third‑party reporting requirements designed to strengthen operational resilience across UK financial services. These changes aim to give firms clearer, more consistent rules, reduce duplicated reporting burdens, and improve sector‑wide visibility into emerging cyber and operational threats.  

Mark Francis, Director of Specialists and Wholesale sell-side at the FCA, said: 

“Resilience is being tested like never before, with firms facing growing cyber threats and increasing reliance on third parties to deliver the essential financial services consumers rely on.” 

Cyber attacks are not only rising, but they’re also growing more sophisticated. In 2025, over 40% of cyber incidents reported to the FCA involved third‑party providers, highlighting the scale of dependency risk built into modern digital supply chains. High‑profile disruptions, including outages at Cloudflare and AWS, further underscored the fragility of essential services when a key provider experiences downtime. The FCA’s updated rules aim to address this head‑on. 

What’s changing? Key highlights from the FCA 

The FCA, in collaboration with the PRA and Bank of England, has introduced several structural improvements that firms will need to prepare for: 

1. A single, streamlined reporting regime 

Firms will now report incidents and material third‑party arrangements through a single reporting portal, removing duplicated submissions for payment service providers and credit rating agencies.  

2. Reduced reporting burden 

Most FCA solo‑regulated firms will complete a short-form incident report with refined information requirements, a noticeable reduction in administrative overhead.  

3. Clearer thresholds and definitions 

The FCA’s final rules include standardised definitions of operational incidents, thresholds for reporting, and clarified responsibilities for firms.  

4. Enhanced third‑party visibility 

Firms must now: 

• Notify the FCA of new or significantly changed material third‑party arrangements. 

• Maintain an internal register of these arrangements and submit it annually.  

5. Implementation timeline

Firms have 12 months to prepare, with the new regime going live on 18 March 2027. 

What this means for firms 

The FCA is seeking faster, clearer, and more actionable reporting to help regulators: 

• Respond quickly during major disruptions. 

• Identify systemic risks. 

• Share insights and trends across the sector in real time. 

But with increased expectations around oversight, governance, and third‑party accountability, firms need tools that help them document, monitor, and verify crucial information efficiently. 

That’s where Veriphy comes in. 

How we help firms adapt to the new FCA framework 

Veriphy has long supported financial firms with compliance‑focused identity verification, monitoring, and due‑diligence solutions. Now, in the context of the FCA’s regulatory changes, our capabilities align even more closely with what firms need to remain resilient. 

Here’s how Veriphy strengthens your operational and third‑party reporting capabilities: 

Centralised verification and monitoring of third‑party providers 

Maintain confidence in supplier relationships with: 

• Ongoing AML and sanctions monitoring 

• Company checks and financial health reports 

• KYB verification tools 

These features help firms satisfy the FCA’s requirement to maintain stronger visibility across material third‑party arrangements.  

Fast, accurate data for incident response 

When an incident occurs, having reliable data at your fingertips is crucial. Veriphy provides: 

• Instant company intelligence 

• Identity validation for impacted parties 

• Rapid reference checks for internal assessments 

This supports the FCA’s push for quicker, more consistent incident reporting.  

Evidence‑ready audit trails 

The FCA’s new rules emphasise clarity and documentation. Veriphy’s platform logs verification activity automatically — giving your compliance team ready‑to‑submit records that align with the regulator’s expectations for transparency. 

Easy integration into existing workflows 

With the FCA introducing a single cross‑regulator reporting portal, Veriphy tools can complement your reporting workflow by providing structured, accurate information needed for completed submissions. 

Veriphy’s Solutions Consultant, Richard Devine said, 

“The FCA’s updates are a wake‑up call for the entire sector. Firms now need sharper visibility not only into their own operations but into every third‑party link that keeps them running,” says Richard Devine, Solutions Consultant at Veriphy. 

“What we’re seeing across our clients is a growing need for dependable, real‑time information. Veriphy gives firms that clarity — whether they’re verifying a critical supplier, tracking risk signals, or preparing for incident reporting. The new regime isn’t just about compliance; it’s about building a culture of operational confidence, and that’s exactly where our technology shines.” 

The FCA’s new incident and third‑party reporting rules mark a significant shift in how firms must manage operational resilience. With clearer guidance, reduced duplication, and a unified reporting approach, the industry is moving toward a more robust and transparent regulatory future. 

As firms prepare for March 2027, Veriphy’s suite of verification and monitoring tools is ready to help strengthen your operational oversight, support compliance teams, and build resilience into your critical third‑party networks. 

If you’d like help preparing for the FCA’s new framework — or want to explore how Veriphy can support your resilience strategy — our team is here to help.