Key Themes and Observations on CP17/24 Operational Resilience

CP 17/24: Enhancing the UK financial sector's defences

In an increasingly interconnected world, operational resilience is no longer a luxury but a necessity, especially for the financial services industry.

Many organisations within the financial sector increasingly rely on third parties to support and in some cases fulfil their critical and important operations. In order for firms to genuinely build operational resilience, they need to increase the resilience standards of the suppliers and ecosystems on which they depend.

Recognising this, the Bank of England (BoE), Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA) jointly released the Consultation Paper (CP) 17/24, aiming to strengthen and advance the sector's ability to withstand and recover from disruptive operational events. This explores two crucial areas:

1. Enhancing operational incident reporting; and
2. Strengthening the oversight of outsourcing and third-party relationships.

Enhancing transparency: addressing key challenges in the sector

CP 17/24 is a direct response to critical vulnerabilities in many firms’ current operational resilience framework. The paper highlights several key weaknesses that merit consideration.

First, inconsistent incident reporting, stemming from a lack of standardised frameworks, hinders regulatory oversight and timely intervention. This inconsistency makes it difficult to gain a clear, sector-wide view of potential threats.

Second, the growing reliance on third-party providers is not matched by sufficient transparency. Regulators lack comprehensive data on these relationships, making it challenging to assess systemic risks and vendor lock-in (over reliance on a single provider).

Finally, the current approach to regulatory oversight should be more comprehensive and consistent. A more structured approach to data collection is crucial for proactive risk management.

Reinforcing the framework: key proposals of CP 17/24

To address these weaknesses and enhance the UK financial sector's resilience, CP 17/24 proposes several key measures.

One of the most significant changes is the introduction of standardised incident reporting. Financial institutions will be required to report incidents that exceed defined PRA Rulebook thresholds, ensuring consistency, enabling timely regulatory intervention and sector-wide analysis. This will provide regulators with a clearer picture of emerging threats and vulnerabilities.

Furthermore, CP 17/24 expands the scope of regulatory oversight from material outsourcing to all material third-party arrangements. This broader scope includes the introduction of a mandatory "Register of Material Third-Party Arrangements". Firms must maintain and submit this register to the PRA annually, ensuring transparency, risk identification and regulatory oversight of sector-wide third-party risks.

Separately, firms must now submit notifications to the PRA before entering or significantly amending any material third-party arrangement where risks require increased due diligence, governance, or risk management. This is no longer solely confined to Material Outsourcing arrangements. These initiative-taking notifications, submitted via a standardised template, support regulators to assess potential sector-wide impacts before risks materialise such as concentration risk and over reliance on a single provider.

The FCA focuses on preventing intolerable harm to customers of financial institutions, while the PRA prioritises systemic risks to the industry. The PRA will use data from firms’ registers to identify the impact that failure of critical third parties could have on the sector’s overall financial and operational stability, aligning with the Critical Third-Party Regulatory Framework (PS16/24).

Importantly, the approach outlined in CP 17/24 aligns with global standards like the Financial Stability Board's FIRE format and the EU's Digital Operational Resilience Act (DORA). This alignment simplifies compliance for firms operating internationally and promotes greater consistency across financial institutions.

Data as a cornerstone: aligning with transforming data collection

CP 17/24 is issued alongside the BoE's Transforming Data Collection Initiative. This initiative aims to improve the quality, consistency, and transparency of regulatory reporting. By aligning with this initiative, CP 17/24 seeks to leverage data as a cornerstone of enhanced operational resilience. Standardised reporting will provide benchmarks for institutions and deliver insightful data for regulators, enabling more effective oversight and risk management. Furthermore, integrating real-time reporting, data on critical third parties (to inform potential future CTP designations under SS6/24), and open standards will further enable proactive risk identification and mitigation.

The path forward: implementation and collaboration

The implementation of CP 17/24 is scheduled for no earlier than the second half of 2026. Firms will submit incident reports via the FCA's Connect Portal and third-party registers via RegData. The consultation period, which closed on 14 March 2025, offered a valuable opportunity for industry feedback and collaboration.

CP 17/24 signifies a crucial step towards a more resilient UK financial sector. By addressing key weaknesses in incident and third-party reporting and embracing a data-informed approach, the paper lays the groundwork for a more robust, resilient, and transparent financial ecosystem. Financial institutions that proactively engage with these changes, prioritise transparency, and invest in digital capabilities will be best positioned to navigate future challenges and contribute to a stable financial future.

To achieve operational resilience in line with CP17/24, firms should embrace a technology-driven and data-centric approach to third-party oversight. By leveraging analytics, firms can proactively identify vulnerabilities, manage risks, and demonstrate strong alignment to regulatory expectations. Investing in technology and data capabilities will be crucial to enhancing transparency, improving reporting accuracy, and strengthening resilience across third-party relationships.

Firms should proactively prepare for the implementation of CP 17/24 by focusing on the key areas outlined below:

1. Enhancing incident reporting: Review and enhance incident reporting processes, aligning with the standardised framework for accurate, timely reporting, including clear internal escalation and systems for capturing incidents per regulatory requirements. This should include a comprehensive operational resilience data model with standardised metrics and exploration of automated data exchange with suppliers, focusing on root cause analysis and next best actions. Third-party data should shift from information submission to intelligence input.
2. Strengthening third-party oversight: Assess all material third-party relationships, moving beyond a material outsourcing focus. This includes conducting comprehensive due diligence, implementing robust contractual frameworks, and establishing ongoing monitoring mechanisms to manage third-party risk effectively. The CP 17/24 introduces two key mechanisms to enhance transparency and oversight:
   • Register of material third-party arrangements: Firms must maintain and annually submit to the PRA a register capturing all material third-party arrangements. This ensures transparency and facilitates the identification and regulatory oversight of sector-wide risks; and
   • Proactive notifications: Firms must notify the PRA, using a standardised template, before entering or significantly modifying material third-party arrangements requiring enhanced due diligence or risk management. This allows regulators to assess potential sector-wide impacts proactively.

By taking these proactive steps, firms can not only meet the regulatory requirements but also proactively strengthen their operational resilience, mitigate risks, and contribute to a more stable and resilient financial system.