Back to all articles
Risk ManagementOperational ResilienceThird-Party RiskFCA

FCA Material Third-Party Reporting: Preparing for the March 2027 Deadline

Darren Craig5 July 20268 min read
FCA Material Third-Party Reporting: Preparing for the March 2027 Deadline

FCA Material Third-Party Reporting: Preparing for the March 2027 Deadline

On 18 March 2026, the FCA published Policy Statement PS26/2, its final rules on operational incident and third-party reporting, alongside finalised guidance FG26/3 and FG26/4. The rules come into force exactly twelve months later, on 18 March 2027 — and they represent the most significant expansion of UK regulatory visibility into firms' third-party dependencies to date. The PRA published its aligned rules the same day (PS7/26 and SS1/26), and the Bank of England issued a parallel statement for financial market infrastructures, creating a single, coordinated regime across all three supervisory authorities.

If your firm is in scope, you have three new jobs: notify the regulator of material third-party arrangements, build and maintain a register of them, and submit that register annually. None of these is difficult to describe. All of them are difficult to do well from a standing start — which is why the twelve-month runway matters, and why firms that treat 18 March 2027 as the date preparation begins will find it was actually the date preparation needed to be finished.

Why the regulators are doing this

The FCA's own framing is blunt: incidents increasingly originate at third parties, and the sector's dependency on a concentrated pool of providers has become a systemic issue. In 2025, more than 40% of cyber incidents reported to the FCA involved a third party, and high-profile outages at major cloud and infrastructure providers disrupted financial services across the market. The reporting data will let regulators see through firms' supply chains, identify which services are most exposed, and — significantly — help identify potential critical third parties for designation under the UK's Critical Third Parties regime.

Read that last point carefully: every material arrangement you disclose becomes part of the regulator's map of systemic concentration risk. This regime is the data-collection engine for UK third-party supervision for the next decade.

Who is in scope

The third-party reporting requirements apply to a subset of FCA-regulated firms (the incident reporting side of PS26/2 applies far more broadly). Dual-regulated firms face aligned FCA and PRA requirements and make a single submission through a shared system. A few boundary details worth knowing:


  • Intra-group arrangements count. Services provided from elsewhere in your group are assessable for materiality just like external providers, including where the group entity itself depends on outside providers.


  • Subcontracting counts. A third-party arrangement covers any service or product provided to a firm, including subcontracted services — your fourth parties are in view.


  • Third-country branches are excluded from the notification requirements but must still submit the annual register.


  • Firms outside the new regime's scope remain subject to the existing obligations — Principle 11 and the material outsourcing notification rules under SYSC 8 continue to apply.

If you're unsure of your firm's position, resolving that question is step one, and the FCA is running engagement sessions through the implementation window.

What "material" actually means

The rules expand the existing notification regime — which covered material outsourcing — to material third-party arrangements of any kind, outsourcing or not. Your cloud platform, your market data feed, your core banking software vendor: contractual structure no longer determines reportability, importance does.

An arrangement is material where it is so important that its disruption or failure could:


  1. Cause intolerable levels of harm to the firm's clients;


  2. Pose a risk to the soundness, stability, resilience, confidence or integrity of the UK financial system; or


  3. Cast serious doubt on the firm's ability to satisfy the threshold conditions, meet its obligations under the Principles, or comply with SYSC 15A (operational resilience).

Note how directly limb three connects this regime to your existing PS21/3 work: if a provider underpins an important business service and its failure would breach your impact tolerances, materiality is difficult to argue away. Your operational resilience mapping is the natural starting inventory for the register — and any gap between the two will be visible to your supervisor.

The three obligations in practice

1. Notification of material arrangements. In-scope firms must notify the FCA when entering a new material third-party arrangement or making significant changes to one. There is no rigid deadline; the expectation is notification "at an early stage" of planning — before contractual commitments are finalised, not after. This is not an approval process, but it does mean your vendor onboarding workflow needs a regulatory checkpoint built into it, in the procurement path, before signature.

2. The register. Firms must maintain a register of their material third-party arrangements against a prescribed template. The regulators have provided separate templates for notifications and for the register, and have trimmed data fields from the consultation versions in response to industry feedback — but "trimmed" is relative. Expect to hold structured data per arrangement covering the service, the provider, substitutability, and dependency detail that many firms currently hold nowhere, or hold in contract PDFs and spreadsheets scattered across procurement, legal and IT.

3. Annual submission. The register must be submitted to the FCA annually through the regulators' shared infrastructure (FCA Connect, with RegData in the mix), which goes live with the regime in March 2027. The first annual submission is expected to fall due in the year following implementation — so the register you start building now is the one your supervisor reads.

Alongside all this, the incident reporting side of PS26/2 sets its own clock: initial reports as soon as reasonably practicable and generally within 24 hours of determining an incident meets the threshold (payment service providers retain a 4-hour detection-based deadline) — and incidents originating at third parties are squarely reportable. Your third-party monitoring and your incident process are now the same machine.

How this fits the wider regulatory picture

UK-regulated firms are now operating inside an interlocking set: PS21/3 defines your important business services and impact tolerances; PRA SS2/21 governs outsourcing and third-party risk management for dual-regulated firms; the Critical Third Parties regime (PS24/16) supervises designated providers directly; and PS26/2 now supplies the reporting layer that ties firm-level dependencies to system-level oversight. Firms also operating in the EU will recognise the shape — DORA's Register of Information runs on the same logic — but the templates, thresholds and definitions are not identical, and a copy-paste from your DORA register will not satisfy the FCA's.

A realistic countdown plan

Working back from 18 March 2027:

Now – autumn 2026: inventory and classify. Pull every third-party arrangement — outsourcing or not, external and intra-group — into one place and run the three-limb materiality test against each, anchored to your PS21/3 mapping. Assign a named owner for the regime (for dual-regulated firms, senior accountability expectations point at the operations SMF). Resolve scope questions with the FCA while its engagement programme is running.

Autumn 2026 – winter: close the data gaps. Map the register template against the data you actually hold and start chasing what's missing — which, for most firms, means negotiating with providers. Large technology providers are not always forthcoming with the operational detail the template demands, and provider negotiation is measured in months, not weeks. Firms should not discover in February 2027 that a key provider won't share the data the register requires.

Winter – March 2027: operationalise. Build the notification checkpoint into vendor onboarding, test incident classification against the new thresholds, brief the board, and dry-run a register submission end to end.

The uncomfortable truth about doing this manually

The register is not a one-off filing; it's a living dataset that must stay accurate as vendors change, contracts renew, subcontractors shift and materiality assessments move. Firms attempting this with spreadsheets and quarterly attestation cycles will spend the regime's first year in permanent catch-up — and the FCA will be comparing what firms submit against incident data that increasingly names third parties.

This is precisely the workload RiskXchange's Agency was built for. NOVA runs the vendor evidence-gathering that populates register fields; REX keeps continuous watch on the arrangements themselves so materiality assessments stay current rather than annual; and VANCE assembles regulator-ready reporting — it already produces DORA Register of Information outputs, and FCA material third-party reporting is the same discipline pointed at a different template. One customer's DORA reporting went from a quarter's work to a morning. If you'd rather your 2027 submission were an export than a project, see how it works — pricing's published, unusually for this market.

Frequently asked questions

When do the FCA's material third-party reporting rules take effect?

18 March 2027. The final rules were published in PS26/2 on 18 March 2026, giving firms a twelve-month implementation period, with the PRA's PS7/26 aligned to the same date.

What makes a third-party arrangement "material" under the FCA rules?

An arrangement whose disruption or failure could cause intolerable harm to the firm's clients, pose a risk to the stability or integrity of the UK financial system, or cast serious doubt on the firm's ability to meet threshold conditions, the Principles, or SYSC 15A operational resilience obligations.

Does the regime only cover outsourcing?

No — that's the headline change. The new rules cover both material outsourcing and material non-outsourcing arrangements, including intra-group services and subcontracted dependencies.

What is the annual register requirement?

In-scope firms must maintain a register of material third-party arrangements against the prescribed template and submit it to the FCA annually via the regulators' shared reporting infrastructure, with the first submission expected in the year after the rules take effect.

How does this relate to DORA's Register of Information?

They share the same logic — structured, submittable registers of critical third-party dependencies — but the UK and EU templates, definitions and thresholds differ. Firms in scope of both need both, ideally generated from a single underlying dataset rather than maintained twice.

Last updated: July 2026. This article summarises PS26/2, FG26/4 and related materials for general information; it isn't legal advice, and firms should take their own view on scope and materiality.

Tags

Share this article

Done reading? See it on your vendors.

Book a 30-minute call and we'll have NOVA, ARIA and REX produce a complete posture report on a vendor of your choice inside 24 hours.