UK banks have 18 months to map third-party risks under PS26/2

The FCA, PRA, and Bank of England enforce PS26/2 on 18 March 2027

Britain's financial firms have built scalable operations on a foundation of interconnected technology and outsourced services. That architecture delivered speed and scale. It also created a web of dependencies that regulators are no longer willing to leave unmonitored.

PS26/2 introduces a standardised framework for operational incident and third-party reporting across all three regulators. The framework rests on two distinct obligations.

The first concerns operational incidents. Firms must report any event that materially affects customers, markets, or the safety of the business itself. This includes cyberattacks, technology failures, fraud, service disruptions, and significant human errors. Not every incident warrants regulator submission, but every material one does. Reports come in two forms: a standard format for routine material incidents, and an enhanced format for those with systemic or major consequences.

The second obligation concerns third parties. Firms must build and maintain a formal register covering every material supplier, outsourcing partner, and critical operational dependency. Any new arrangement or substantive change must be communicated to regulators, and firms must hold documented evidence of how they assess, monitor, and manage the risks those relationships carry.

A practical feature: a single report satisfies the requirements of all three regulators simultaneously, removing what has historically been a significant administrative burden.

Compliance means operational discipline, not just a new form

Both obligations converge on a common theme: accountability. Regulators want to see structured processes, documented decisions, and auditable records. For many firms, that will mean a candid assessment of whether current systems are genuinely fit for purpose or simply adequate on the surface.

Eighteen months is not as long as it sounds when operational frameworks, staff training, and technology upgrades all need to move together. Firms that treat March 2027 as a distant deadline will discover in month 15 that they lack the systems, people, and documented controls to comply cleanly.

Done properly, PS26/2 compliance is a forcing function for the kind of operational discipline that protects customers, preserves institutional confidence, and keeps firms ahead of the risks that a technology-dependent industry will inevitably continue to face.

Start with third-party mapping and incident response stress tests now

Firms should begin by mapping their third-party landscape. That means identifying every material supplier, outsourcing partner, and critical dependency, then classifying each by type, criticality, and materiality. Few firms have a complete, accurate register today.

Second, stress-test incident response processes. Can your team identify a material incident within the timeframe regulators expect? Can you document root cause, calculate losses, track remediation, and close through multi-stage sign-off? If the answer is manual spreadsheets and email chains, you have an infrastructure problem.

Third, identify gaps in your current reporting infrastructure. Can you generate compliant standard and enhanced reports on demand? Can you export to the systems regulators require (S3, Azure Blob, SharePoint, SFTP, REST API)? If not, start selecting tooling now, not in month 17.

RegTech vendors are positioning products to handle both incident management and third-party registers, but the decision should follow the mapping work, not precede it. Know what you are trying to solve before you buy the tool.