United Kingdom: Guidance on operational incident reporting enters into force

On 18 March 2027, the guidance on operational incident reporting for firms with Part 4A permission, payment service providers (PSPs), credit rating agencies, and other financial firms enters into force. The guidelines establish a standardised process for reporting significant operational disruptions to protect consumers and maintain market stability. The guidance defines an operational incident as a single event or series of linked events that disrupts service delivery to external end users or impacts the availability, authenticity, integrity, or confidentiality of their data. Firms must report incidents that meet specific thresholds, including those posing risks of intolerable harm to consumers, threats to the safety and soundness of the firm or market participants, and risks to market integrity or the UK financial system. The framework introduces two reporting tiers: standard and enhanced. Standard reporting requires basic information in a single report, while enhanced reporting for specific high-impact firms involves initial, intermediate, and final phases over the incident lifecycle. Firms are required to submit reports as soon as practicable, with a 24-hour limit for general firms and a 4-hour limit for PSPs following detection. The guidance clarifies that planned interruptions and "near misses" (such as potential incidents that were thwarted or contained/prevented crystallised incidents) do not require reporting under this specific mechanism unless they meet established thresholds. This unified framework replaces separate incident reporting systems previously used by PSPs and registered credit rating agencies to ensure a structured approach to thematic analysis and incident response.