Britain's financial firms have built their operations on a foundation of interconnected technology and outsourced services. That architecture has delivered speed and scale, but it has also created a web of dependencies that regulators are no longer willing to leave unmonitored.
According to RiskSmart, PS26/2, the UK's new standardised framework for operational incident and third-party reporting, signals a decisive shift in how the FCA, PRA, and Bank of England expect firms to govern their most critical risks. The clock is already ticking, with the rules taking effect on 18 March 2027.
RiskSmart recently delved into PS26/2, and what UK financial firms need to know about operational incident and third-party reporting.
The framework rests on two distinct obligations. The first concerns operational incidents: firms must report any event that materially affects customers, markets, or the safety of the business itself. That includes cyberattacks, technology failures, fraud, service disruptions, and significant human errors. Not every incident warrants a submission to regulators, but every material one does, and firms are expected to track all events internally regardless. Reports come in two forms: a standard format for routine material incidents, and an enhanced format for those that carry systemic or major consequences. One of the more practical features of the regime is that a single report satisfies the requirements of all three regulators simultaneously, removing what has historically been a significant administrative burden.
The second obligation concerns third parties. Firms must build and maintain a formal register covering every material supplier, outsourcing partner, and critical operational dependency. Any new arrangement or substantive change must be communicated to regulators, and firms must hold documented evidence of how they assess, monitor, and manage the risks those relationships carry. The expectation is not just that firms know who their third parties are, but that they can demonstrate active, ongoing oversight of them.
Both obligations converge on a common theme: accountability. Regulators want to see structured processes, documented decisions, and auditable records. For many firms, that will mean a candid assessment of whether current systems are genuinely fit for purpose or simply adequate on the surface.
That gap is where RegTech solutions are finding real traction. RiskSmart has built its platform around precisely these requirements. For incident management, its Issues module captures events through configurable intake forms, records root cause analysis, categorises impacts across financial, operational, compliance, reputational, and legal dimensions, and calculates total losses automatically. Remediation actions are tracked with assigned ownership and deadline alerts, and closure requires sign-off through configurable multi-stage workflows. Every update is written to an immutable audit trail. Employees can submit incidents via a public reporting form without needing a system login, which addresses one of the most persistent weaknesses in front-line reporting culture.
On the third-party side, RiskSmart's dedicated module holds a centralised register with classification by type, criticality, and materiality. A built-in questionnaire builder allows teams to distribute version-controlled due diligence templates through a vendor portal, where suppliers can respond, upload evidence, and submit directly. Each third party can be connected to associated risks, controls, and issues, giving compliance teams clear visibility of how supplier relationships sit within the wider risk framework. Key risk indicators can be applied to SLAs and performance metrics, with threshold alerts flagging concerns before they escalate.
Reporting across both modules is handled through custom data sources, allowing firms to define standard and enhanced PS26/2 report templates and generate them on a schedule or on demand, with export options spanning S3, Azure Blob, SharePoint, SFTP, and REST API.
Eighteen months is not as long as it sounds when operational frameworks, staff training, and technology upgrades all need to move together. Firms that begin now, mapping their third-party landscape, stress-testing their incident response processes, and identifying gaps in their current reporting infrastructure, will be in a far stronger position than those who treat March 2027 as a distant deadline.
Done properly, PS26/2 compliance is not simply about satisfying a regulatory checklist. It is a forcing function for the kind of operational discipline that protects customers, preserves institutional confidence, and keeps firms ahead of the risks that a technology-dependent industry will inevitably continue to face.