Bank of England finalises IOREP operational incident and third-party reporting rules for FMIs effective 18 March 2027 and consults on revoking duplicate CCP incident reporting rule

The Bank of England has published a policy statement setting out its final Operational Incident and Outsourcing and Third-Party Reporting (IOREP) rules and guidance for financial market infrastructures (FMIs), establishing standardised reporting of significant operational incidents and material third-party arrangements to support operational resilience and financial stability oversight. The framework applies to recognised UK central counterparties (CCPs), recognised UK central securities depositories (CSDs), recognised payment system operators (RPSOs) and specified service providers (SSPs), with reporting submitted via Financial Conduct Authority platforms, and will take effect on 18 March 2027. Under IOREP, in-scope FMIs must submit staged operational incident reports when they reasonably believe an incident meets the reporting threshold, notify the Bank when entering into or significantly changing a material third-party arrangement, and provide an annual register of material third-party arrangements. The final policy seeks to reduce duplication with existing obligations, clarifies that IOREP is expected to be the sole route for reporting relevant operational incidents while Fundamental Rule 7 disclosure expectations remain, and updates reporting documents to reduce burden, including consolidating incident reporting into a single form completed across phases and revising data fields to improve interoperability with the Financial Stability Board’s Format for Incident Reporting Exchange. Material third-party reporting is also adjusted through separate notification and register templates, removal of various fields, and an option to record ‘N/A’ where a third party does not have a Legal Entity Identifier. Alongside the final package, the Bank is consulting until 18 June 2026 on revoking Rule 4 of the Recognised Clearing House Rules Instrument 2018 for CCPs to remove duplicative incident reporting requirements, intended to take effect when IOREP comes into force. The Bank also intends to amend and reissue RPSO and SSP firm-specific notices to remove operational incident reporting, and notes that IOREP reporting by CSDs will be treated as meeting the existing UK Central Securities Depositories Regulation incident reporting requirement.