The FCA has published PS26/2, finalising new rules on operational incident reporting and material third‑party reporting. These rules introduce a unified FCA–PRA–Bank of England reporting regime and significantly change how firms must notify regulators about serious operational disruptions and key third‑party dependencies.
The rules come into force on 18th March 2027, with a 12‑month implementation period.
Although mortgage brokers are not typically considered high‑risk operationally, the FCA is clear that all regulated firms can experience incidents that impact consumers or markets.
The sector is also facing a rapidly evolving threat landscape. Threat actors are targeting financial services more frequently and with greater sophistication, and they increasingly attack the third‑party providers firms rely on for CRM systems, sourcing tools, telephony, and cloud services.
At the same time, firms are becoming more interconnected, and many third parties now deliver services using fast‑moving technologies such as AI. This means that even non‑malicious incidents such as outages, data corruption, or supplier failures can have wider and more systemic impacts than before.
The new regime is designed to give regulators faster, more structured visibility of serious disruptions.
This means mortgage firms must be ready to:
The FCA, PRA and Bank of England now share one definition. An incident is reportable if it disrupts operations such that it:
Mortgage firms must assess whether an incident affects customers, introducers, lenders, or other external users.
The FCA has emphasised that the threshold for reporting is intentionally high. This is to avoid over‑reporting and ensure regulators receive only incidents with meaningful impact.
AMI’s view is that, while most mortgage firms will rarely meet the threshold, market‑wide outages (e.g., major CRM failures, sourcing system outages during product withdrawals, cyber incidents affecting customer data) could trigger reporting.
A firm must report when it reasonably believes the incident poses a risk of any one of the following:
Routine outages, planned maintenance, and near‑misses are not reportable.
While firms should report an incident within 24 hours of determining that it meets the FCA’s thresholds, they should not wait 24 hours to report to the FCA.
Most mortgage firms will fall into the standard category notification form.
Only a small number of strategically important firms (typically large banks, payment firms, and critical service providers) fall into the enhanced category.
These apply only to enhanced scope SMCR firms, banks, and other larger institutions.
Most mortgage intermediaries will not be in scope for third‑party notifications but all firms should still maintain strong oversight of outsourced providers, especially IT, CRM, and telephony suppliers.
Why most mortgage intermediaries are not in scope:
Therefore, most are not required to submit third‑party notifications.
Ensure you can identify when an incident meets the FCA’s thresholds.
Processes must allow rapid submission of structured information. The FCA does not define “rapid,” but firms should assume prompt reporting once the threshold is met, no unnecessary internal delays and clear escalation routes
The FCA expects firms to understand how incidents affect consumers and markets.
For small firms, the FCA does not expect highly formalised BCPs. A proportionate approach may include:
Even if not in scope for formal reporting, firms must ensure robust oversight of IT, software, and outsourced services.
Particularly those responsible for operational resilience, IT, and compliance. For larger firms, this may involve IT, operations, and compliance teams.
For smaller firms, it may simply mean identifying who is responsible for IT and documenting proportionate processes.
https://www.fca.org.uk/publication/finalised-guidance/fg26-3.pdf – Operational Incident Reporting (Please see pg12-14 for additional information on standard incident reporting)
https://www.fca.org.uk/publication/finalised-guidance/fg26-4.pdf – Material Third Party Reporting
We encourage our members to contact us if they have anything they wish to discuss. Please share your thoughts by emailing us.
This information is correct at the time of writing and based on the FCA’s published Policy Statement PS26/2. Firms should continue to monitor both AMI and FCA updates as further guidance and the new reporting portal are released.
© 2026 Association of Mortgage Intermediaries Limited.
AMI is the trading name of The Association of Mortgage Intermediaries Limited which is a company limited by guarantee, registered in England and Wales under the Companies Acts with number 7982341. Our registered address is Celixir House, Stratford Business & Technology Park, Innovation Way, Banbury Road, Stratford-upon-Avon, Warwickshire, CV37 7GZ.
