The financial sector’s growing reliance on technology and third-party providers has long been a double-edged sword. The efficiency gains are real, but so too are the risks: from IT outages and cyberattacks to supplier failures and human error.
According to RiskSmart, the UK’s financial regulators have responded with PS26/2, a new policy statement that fundamentally reshapes how firms must identify, record, and report operational incidents and third-party dependencies. With the rules going live on 18 March 2027, the window for preparation is narrowing fast.
RiskSmart recently delved into PS26/2, and what UK financial firms need to know about operational incident and third-party reporting.
At its core, PS26/2 is a statement of regulatory intent: firms must be able to account for anything that materially affects their operations or customers, and they must do so in a clear, consistent, and timely manner. The framework is built around two interconnected pillars, operational incident reporting and material third-party reporting, and it applies to a broad range of authorised entities, from banks and large insurers to payment service providers, building societies, and registered credit rating agencies.
At its core, PS26/2 is a statement of regulatory intent: firms must be able to account for anything that materially affects their operations or customers, and they must do so in a clear, consistent, and timely manner. The framework is built around two interconnected pillars, operational incident reporting and material third-party reporting, and it applies to a broad range of authorised entities, from banks and large insurers to payment service providers, building societies, and registered credit rating agencies.
On the incident reporting side, PS26/2 introduces two distinct report formats. Standard reports will cover routine material incidents such as IT system failures, service outages, fraud, or significant human errors, while enhanced reports are reserved for major incidents or those with systemic implications.
Critically, only material incidents trigger a formal submission to regulators, though firms are expected to maintain internal records of all operational events. Initial notifications must be submitted promptly after detection, with follow-up reports detailing root cause, impact assessment, and remediation steps. The same report format is accepted by the FCA, PRA, and Bank of England, eliminating the burden of submitting three separate versions to different bodies.
The third-party component of PS26/2 is equally demanding. Firms are required to maintain a comprehensive register of all material third-party relationships, including outsourcing arrangements and critical operational dependencies. Regulators must be notified of new arrangements or significant changes, and firms must be prepared to demonstrate robust due diligence, ongoing monitoring, and risk management for each relationship. This is not merely a paperwork exercise; regulators expect genuine oversight, not box-ticking.
For many firms, meeting these requirements will require meaningful investment in systems and processes. Governance teams will need to ensure that incident management workflows are both structurally sound and auditable, with clear lines of ownership, escalation protocols, and immutable records. Third-party risk functions will need centralised registers that go beyond contract management to capture materiality classification, performance monitoring, and direct linkage to the firm’s broader risk and control environment.
RegTech providers are positioning themselves to support this transition. RiskSmart, for example, offers modules designed to address both pillars of PS26/2 directly. Its Issues module enables configurable incident intake, structured root cause analysis, categorised impact and loss tracking, and multi-stage approval workflows, all underpinned by an audit trail built for regulatory scrutiny.
A public reporting form allows any employee to flag an incident without requiring a system licence, which lowers one of the most common barriers to timely front-line reporting. Its Third-Party module provides a centralised supplier register with built-in questionnaire tools, a vendor portal for evidence submission, and key risk indicators to monitor SLA performance and flag emerging issues. Reporting capabilities allow firms to define standard and enhanced report templates once, then generate and export them on demand, with custom fields for PS26/2-specific data points such as materiality classification and regulator notification status.
The deadline of 18 March 2027 may feel distant, but the lead time is genuinely necessary. Firms should use it to audit existing operational risk frameworks, identify and formally document all material third-party relationships, upgrade incident management infrastructure, and ensure that staff at every level understand their escalation and reporting obligations.
PS26/2 is more than a compliance exercise. Handled well, it is an opportunity to build the kind of resilient, transparent, and accountable operations that regulators, customers, and boards increasingly expect. Firms that treat it as such, rather than a last-minute filing challenge, stand to gain a meaningful operational and reputational advantage.
Read the full RiskSmart post here.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
