Wider scope, less admin? What the PRA’s latest regulation really means

A broader scope, simpler reporting, and a clear expectation for firms to better understand their supplier ecosystems.

The PRA’s PS7/26 Operational Incident and Third-Party Reporting Policy Statement (March 2026) is best seen as a continuation of an existing direction of travel rather than a fundamental shift.

At a high level, the most notable change in PS7/26 and SS1/26 is the expansion in scope. Financial services firms are now expected to look beyond traditional outsourcing arrangements and consider a wider range of third parties that materially support important business services. This reflects the reality of modern supply chains, where critical dependencies often sit outside formal outsourcing definitions.

At the same time, reporting requirements under PS7/26 have been simplified. Firms will only need to submit one submission, which is shared to both the PRA and FCA, suggesting a clear effort to balance increased regulatory expectations with practical implementation.

“Increased regulatory scope does not necessarily mean increased administrative burden.”

This is an important point. Firms will need to do more work in identifying which third parties are genuinely material, but the reporting itself is becoming more structured and more manageable.

The core expectation of PS7/26 remains consistent. Firms need to understand their third-party landscape. This is not limited to outsourced providers but extends to any supplier that plays a material role in delivering important business services. As supply chains become more complex, the challenge is less about identifying direct relationships and more about gaining visibility over dependencies and potential concentration risks.

“Firms need to understand not just who they outsource to, but who they rely on.”

What are the priorities for firms? 

Many firms will already have a good grip on the core principles outlined in the statement by investing early in supplier visibility, clear segmentation, and aligned reporting, they will be best placed to meet the expectations set out in PS7/26 and strengthen operational resilience. 

1. Revisit supplier segmentation
Reassess what qualifies as a “material” third party beyond outsourcing. The key question is whether the supplier supports an important business service and what the impact would be if it failed.

2. Improve visibility across the supply chain
Identify hidden dependencies and concentration risks, and ensure third-party data is accurate and accessible. Without this, effective risk assessment becomes difficult.

3. Align reporting processes early
Standardise how incident data is captured and reported internally. This will reduce duplication and improve efficiency as PS7/26 reporting requirements evolve.

4. Take a joined-up approach to resilience
Link this work to broader operational resilience efforts, including Critical Third Parties and frameworks like DORA, to ensure consistency across the organisation.

Summary 

Many firms will already have a good grip on the core principles outlined in the statement by investing early in supplier visibility, clear segmentation, and aligned reporting, they will be best placed to meet the expectations set out in PS7/26 and strengthen operational resilience.