Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Business Continuity

Your BCP Activation Just Became a Regulatory Notification Trigger: What FCA/PRA PS26/2 Requires by March 2027

The FCA and PRA published PS26/2 in March 2026, establishing a new operational incident reporting regime that hardwires regulatory notification into BCP activation. Financial institutions with UK operations have until March 18, 2027 to comply. Here's what needs to change in your BCP.

By Rebecca Leung · July 1, 2026 ·
Table of Contents

TL;DR

  • On March 18, 2026, the FCA and PRA published PS26/2 and PS7/26, establishing a new operational incident reporting regime that explicitly links BCP activation to regulatory notification
  • Firms must notify via FCA Connect within 24 hours of determining an incident is reportable; payment service providers face a 4-hour window from detection
  • BCP activation is named as a “significant change” requiring a regulatory update — your BCP flowchart needs a notification obligation decision point built in
  • Third-party reporting expanded: material non-outsourcing arrangements now require pre-contractual notification, not just outsourcing
  • March 18, 2027 implementation deadline — 12 months from publication

Your business continuity plan tells your team what to do when something breaks. Activate the BCP. Convene the crisis team. Invoke your recovery procedures. Execute the plan.

What most BCP activation flowcharts don’t tell you: call your regulator.

When the FCA and PRA published PS26/2 and PS7/26 on March 18, 2026, they established something most BCP programs weren’t built to handle. Under the new unified operational incident and third-party reporting regime, BCP activation is explicitly identified as a “significant change” that requires a regulatory update — when the triggering incident meets the notification thresholds. That update must happen within 24 hours of your firm determining the incident is reportable. For payment service providers, the clock runs even faster: 4 hours from first detection.

Your BCP procedures need a new step. Financial institutions with UK operations have until March 18, 2027 to put it there.

What PS26/2 Actually Changed

The FCA, PRA, and Bank of England have had notification expectations for significant operational incidents for years. What PS26/2 creates is a unified, explicit, rule-based framework that replaces previous guidance with binding requirements and defined timelines.

Three things changed materially:

Notification timing is now a rule, not a principle. The prior framework relied on Principle 11 (relations with regulators) and supervisory expectations about “timely” notification. PS26/2 defines timely: 24 hours from determination for FCA-regulated firms. 4 hours from detection for payment service providers. The previous “we’ll notify when we have enough information” posture is no longer defensible.

BCP activation is named as a notification trigger. This is the detail that will catch BCP owners off guard. The new regime explicitly identifies BCP activation as a “significant change” that requires a regulatory update during an ongoing incident. The moment your crisis team decides to activate your BCP, that decision is also supposed to prompt a notification assessment. Your incident command structure needs to run two tracks simultaneously: technical containment and regulatory notification.

Third-party reporting scope is significantly broader. Previously, outsourcing arrangements of certain types required notification. PS26/2 extends this to material non-outsourcing third-party arrangements — and requires notification early in the decision-making process, before contractual commitment. If your firm is evaluating a new critical vendor relationship, the notification obligation may attach before you’ve signed the contract.

The Incident Definition: What Triggers the Notification

Under PS26/2, a reportable operational incident is one that:

  • Disrupts the delivery of services to external end users; or
  • Compromises the availability, authenticity, integrity, or confidentiality of data held for external users

The threshold requires the incident to be “significant” — meaning it has meaningful impact on the firm’s services or on user data, at a scale assessed against the firm’s particular size and service profile. The final rules include additional materiality guidance, but the essential test is: did this affect real users, or did it create real risk to their data?

An extended system outage that takes your UK banking platform offline qualifies. A significant data breach at a vendor processing UK customer data qualifies. A BCP activation in response to a physical site event that disrupts service delivery to UK clients qualifies. A brief internal IT issue that had no user impact and was resolved before customers noticed does not.

The notification clock for the 24-hour window starts when the firm determines the incident is reportable — not when the incident began. For PSPs, the 4-hour clock starts from first detection, period.

What Your BCP Needs to Change Before March 2027

Most business continuity plans follow a structure like this: trigger event → activate BCP → execute recovery procedures → resume operations. The regulatory notification step, when it appears at all, is typically after-the-fact documentation.

PS26/2 changes that sequence for UK-regulated firms. Here’s what the updated flow needs to include:

BCP StepWhat Changes Under PS26/2
Incident detectionPSPs must track from detection; all others from determination of significance
Initial triageAdd notification obligation assessment: does this meet reporting thresholds?
Crisis team activationNotification decision must be documented with timestamp
BCP activation decisionIf incident is reportable, BCP activation = additional notification trigger (significant change)
Recovery executionOngoing notification updates as significant changes occur
Regulatory communicationFCA Connect submission within 24 hours of determination (not after recovery)

The practical implementation means your crisis team lead — whoever chairs your incident management or BCP activation call — needs a checklist item that explicitly asks: “Is this a reportable incident? If yes, who is filing the FCA Connect notification and on what timeline?” That question needs to be asked in the first meeting, not three days later when recovery is complete.

This should also feed into your annual BCP review triggers. The PS26/2 implementation deadline in March 2027 is a firm date for updating both the plan and the activation procedures.

US Firms with UK Operations: This Is Your Problem Too

If you work at a US-headquartered bank, asset manager, payment firm, or fintech with UK regulatory authorization, PS26/2 applies to your UK entity’s operations. Your group BCP framework needs to account for jurisdiction-specific notification obligations that now differ materially between the US and the UK.

Under the FFIEC 36-hour notification rule, US banking organizations must notify their primary federal regulator within 36 hours of determining a significant computer security incident occurred. Under PS26/2, your UK entity must notify via FCA Connect within 24 hours of determining an incident is reportable — a stricter timeline with a broader incident scope that extends beyond cybersecurity to all operational disruptions.

Firms running unified incident response and BCP across jurisdictions need to build jurisdiction-specific notification lanes. When an incident affects both your US and UK operations, you’re managing two notification clocks simultaneously: the 36-hour federal clock and the 24-hour FCA clock. The faster one sets the pace, and the clocks don’t sync.

CIRCIA’s 72-hour reporting requirements add another clock for covered critical infrastructure entities. The trend across jurisdictions is unmistakable: notification windows are contracting, and “we needed more information” is becoming less defensible as an explanation for delayed notification.

The Third-Party Angle: Vendor Onboarding Just Got More Complicated

The third-party changes in PS26/2 are the element most TPRM programs weren’t designed to handle.

Prior to PS26/2, UK outsourcing rules focused primarily on designated “material outsourcing” arrangements — formal delegations of operational functions to third parties. The new regime extends notification obligations to material non-outsourcing third-party arrangements. An important operational dependency on a SaaS platform that isn’t technically an outsourced function might still require pre-engagement regulatory notification.

More significantly: the timing requirement moved forward. Notification of new material third-party arrangements must happen early in the decision-making process, before contractual commitment. Your vendor procurement process, which probably includes a TPRM review stage before signing, now needs a regulatory notification decision point inserted before that stage.

For firms managing supply chain incidents where disruption originates at a vendor — exactly the scenario PS26/2 was designed to address — the pre-contractual notification requirement adds a preventive layer. Regulators see the arrangement before it becomes an incident.

Why US Regulators Are Watching

PS26/2 represents the most structurally significant operational incident reporting framework published by a major financial regulator in 2026. The FCA and PRA moved from principles to rules, from aspirational to binding, and from after-the-fact documentation to pre-incident framework requirements.

The FFIEC is watching. The 36-hour notification rule has been in effect since 2022, but the direction of regulatory travel on both sides of the Atlantic is toward more explicit requirements, tighter timelines, and examination scrutiny of notification infrastructure built before incidents happen — not assembled during them.

The operational resilience frameworks developing in both jurisdictions share a common premise: regulators want firms that can keep operating under adverse conditions, and they want to know immediately when that capability is being tested. Your BCP is no longer purely an internal recovery document. For UK-regulated firms, it is now a notification trigger.

So What?

PS26/2 takes effect March 18, 2027. Here’s what needs to happen before that deadline:

For firms with UK regulatory authorization: Map your existing BCP activation procedures against the PS26/2 notification requirements. Identify the gaps — specifically, where your activation flowchart currently has no regulatory notification step. Update your incident command structure to include a notification obligation assessment at the triage stage. The FCA Connect submission process needs to be tested before the regulation goes live, not learned for the first time during an actual incident.

For firms with material UK third-party arrangements: Audit your vendor onboarding workflows against the new pre-contractual notification requirement. Identify any arrangements that may qualify as material non-outsourcing third-party arrangements under the expanded definition.

For US-only firms: This is a leading indicator. The trajectory of US regulatory development on operational incident reporting — from the FFIEC 36-hour rule to the CIRCIA framework — mirrors what the UK just formalized. Building a notification-ready BCP now costs the same as building one after US regulators get there.

The call to activate your BCP is no longer a purely internal decision. Build the regulatory notification step in before March 2027 — not after the FCA calls to ask why they heard about it late.


Sources:

The Business Continuity & Disaster Recovery (BCP/DR) Kit includes BCP activation checklists, incident notification timelines, crisis team flowcharts, and recovery procedure templates — built for practitioners managing regulatory notification obligations alongside technical recovery.

◆ Need the working template?

Start with the source guide.

These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

What is FCA/PRA PS26/2 and when does it take effect?
PS26/2 (FCA) and PS7/26 (PRA) were jointly published on March 18, 2026, establishing a new unified operational incident and third-party reporting regime for UK-regulated financial firms. The rules take effect on March 18, 2027, giving firms 12 months to implement the required changes. The regime requires firms to notify regulators within 24 hours of determining that an incident meets reportable thresholds — or within 4 hours from first detection for payment service providers.
Does PS26/2 apply to US-headquartered banks and fintechs with UK operations?
Yes. PS26/2 applies to FCA-regulated firms and PRA-regulated firms, which includes UK branches and subsidiaries of US-headquartered banks, asset managers, payment firms, and other financial services providers. If your UK entity holds an FCA authorization or PRA permission, these rules apply to that entity's operations. Your group BCP and incident response frameworks need to be updated to incorporate the UK-specific notification requirements before March 18, 2027.
What types of incidents must be reported under the new FCA/PRA rules?
The reporting obligation is triggered by incidents that disrupt the delivery of services to external end users, or that compromise the availability, authenticity, integrity, or confidentiality of data held for external users. BCP activation is explicitly identified as a 'significant change' that requires a regulatory update when associated with a reportable incident — meaning the BCP activation decision and the notification obligation analysis need to happen simultaneously.
How does the PS26/2 notification window work in practice?
FCA-regulated firms must submit notification via FCA Connect no later than 24 hours after determining that an incident is reportable. Payment service providers face a tighter window: 4 hours from the point of first detection. The clock does not start from when the incident began — it starts from when the firm determines the incident meets reporting thresholds. This means your incident triage process needs an explicit notification obligation assessment step that runs immediately, in parallel with technical containment.
What changed in the third-party reporting requirements under PS26/2?
PS26/2 significantly expanded the scope of arrangements requiring regulatory notification. Under the new rules, firms must notify regulators of both material outsourcing arrangements AND material non-outsourcing third-party arrangements. Critically, notifications must occur early in the decision-making process — before contractual commitment — not just when the arrangement goes live. This changes vendor onboarding workflows for any arrangement that could be classified as material.
How does the UK PS26/2 24-hour notification rule compare to the US FFIEC 36-hour rule?
The UK regime is stricter on timing — 24 hours versus the FFIEC's 36-hour window — and more explicit about BCP activation as a notification trigger. Both share the same conceptual foundation: regulators need timely notification of significant operational incidents, not after-the-fact reporting once recovery is complete. For US firms with UK operations, you're now managing two parallel notification clocks with different starting points and different definitions of 'significant.' Your incident command structure needs to know which obligations run on which timeline.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

Business Continuity & Disaster Recovery (BCP/DR) Kit

BCP and DR templates with BIA, recovery procedures, and a standalone tabletop exercise kit.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.