PS26/2: What UK financial firms need to know about Operational Incident & Third-Party reporting

Why PS26/2 Matters

The modern financial world runs on tech and networks, and increasingly on third-party providers. That’s great for efficiency, but it comes with new risks: IT outages, cyberattacks, human errors, or a key supplier going offline could disrupt operations and hurt customers.

PS26/2 is the UK regulators’ way of saying: “We want to know about anything that could materially affect your operations or customers, and we want to know in a clear, consistent way.”

In other words, it’s all about operational resilience, accountability, and transparency.

What PS26/2 Covers

PS26/2 introduces a single, standardised reporting framework covering:

Operational Incident Reporting

• Report significant incidents that impact customers, markets, or your firm’s safety.
• Think IT system failures, cyberattacks, fraud, service outages, or even human errors.
• Only material incidents need reporting, but every firm should track all events internally.
• Two report formats:
• Standard: For routine material incidents
• Enhanced: For major incidents or systemic risks

Material Third-Party Reporting

• Keep a register of all material third-party relationships, including outsourcing and critical dependencies.
• Notify regulators of new arrangements or major changes.
• Be ready to show evidence of due diligence, monitoring, and risk management for these third parties.

How and When to Report

Timing and clarity are key:

• Initial notifications: Submit promptly after detecting an incident.
• Follow-up reports: Include root cause, impact, and remediation actions.
• Consistency across regulators: Reports follow the same format for the FCA, PRA, and Bank of England, so you won’t be submitting three different versions!

Who Needs to Pay Attention

PS26/2 applies to a wide range of firms:

• Banks, large insurers, and designated investment firms
• Building societies and payment service providers
• Recognised investment exchanges, trade repositories, and registered credit rating agencies

And depending on the firm type and the incident, you’ll either submit standard or enhanced reports.

What This Means for Firms

Think of PS26/2 as a nudge … and an opportunity:

• Stronger oversight, better insights: Regulators can act faster when incidents occur, and firms gain clearer expectations for reporting.
• Accountability and governance: Keeping accurate registers and reporting promptly keeps your firm ahead of regulatory scrutiny.
• Operational readiness: Now’s the time to test incident management systems, update processes, and train staff.
• Efficiency across regulators: Standardisation reduces duplication and aligns with international best practices.

How does RiskSmart Support this

Issues

Our Issues module is designed for effective operational incident management, with fully configurable intake forms that capture the fields relevant to each incident type. No rigid templates, just forms aligned to your firm’s classification approach.

Each incident is recorded in a structured format, including dedicated sections for root cause analysis, categorised impacts and losses (Financial, Operational, Compliance, Reputational, and Legal, with automatic total loss calculation), and linked remediation actions with clear ownership, deadlines, and escalation alerts.

A public reporting form allows any employee to submit incidents without logging in or requiring a licence, removing common barriers to timely front-line reporting.

Closure is governed by configurable, multi-stage approval workflows, ensuring full rationale is captured at every step. All updates are logged in an immutable audit trail to support regulatory requirements such as PS26/2.

The result is a single, structured record for every incident, bringing together root cause, impact, remediation, and timeline in one place, providing a true single source of truth for efficient and reliable reporting

Third Party

The Third-Party module provides a centralised register of all suppliers, outsourcing partners, and critical dependencies, with classification by type, criticality, and configurable fields for PS26/2 requirements such as materiality and contract category.

For due diligence, a built-in Questionnaire Builder enables version-controlled templates that can be distributed via a dedicated vendor portal. Third parties can respond, upload evidence, and submit directly, while your team reviews, approves, rejects, or requests further information through a structured workflow.

Each third party can be linked to relevant risks, controls, and issues, ensuring clear visibility of how supplier relationships connect to your broader risk framework. Key risk indicators (KRIs) can also be applied to monitor SLAs and performance, with threshold-based alerts highlighting emerging issues.

Reporting & Dashboards

Custom Data Sources enable you to create report datasets aligned precisely to regulatory requirements. Define Standard and Enhanced report templates once, then generate them on demand or on a schedule, with flexible export options including S3, Azure Blob, SharePoint, SFTP, or via REST API.

Custom fields allow you to capture PS26/2-specific data, such as materiality classification, regulator notification status, and incident reference numbers, without the need for development.

Implementation Timeline

Mark your calendar: 18 March 2027 is when the rules go live. Firms should use the lead-up time to:

• Review operational risk frameworks
• Identify and document material third-party relationships
• Upgrade incident reporting systems
• Train staff on escalation and reporting

Bottom Line

PS26/2 is more than just compliance paperwork. It’s about building resilient, accountable, and transparent operations in a world where technology and third parties are critical to business success. By preparing now, firms can not only meet regulatory requirements but turn PS26/2 into a competitive advantage; protecting customers, maintaining confidence, and staying ahead of operational risks.