The Financial Conduct Authority is concerned that organisations may not be acting quickly enough on a sufficiently wide range of operational risks. To counter this, it published a consultation on operational risk reporting that runs until the middle of March.

For most of the public, the most impactful examples of operational risk failures in financial services are when payment systems go down – ATMs stop working, or direct debits don’t get paid.

However, operational risks apply to more than purely transactional processes. They could apply to situations where consumers find it difficult to get through to a financial services company fast enough during an emergency, or where non-cash benefits are not delivered on time.

Despite the wide range of potential operational risk failures, the reporting that the FCA sees from firms tends to focus on the most transactional sectors of financial services – almost 70% of incidents reported by firms to the watchdog between 2018 and 2023 came from the retail banking, payments and wholesale financial markets. In contrast, less than 10% of reports came from insurers. The FCA is concerned that, these concentration patterns suggest that there may be some underreporting – and of a degree that it cannot quantify.

The regulator is also concerned about the timeliness of reporting, observing that “over 20% of operational incident reports submitted by firms arrived over 11 days after the incident had started”.

The FCA wants operational reporting to be more forward-looking – including events that have the potential to result in intolerable harm for consumers. Its threshold on reporting an operational incident is where it could “cause or has caused intolerable levels of harm to consumers and they cannot easily recover as a result”.

Under its existing operational resilience regime, the regulator has already provided examples of what intolerable levels of harm could be for insurance customers.

One example involved a firm that set two standards of tolerable levels of harm for consumers with a motor claim – one was a maximum waiting period for a courtesy car of two days; and another was to ensure that consumers could always have access to the claims team both by phone and through an online portal.

The FCA’s consultation paper also focuses on third party arrangements that may not be outsourcing arrangements, arguing that, over the years, “firms’ operations have become more complex and dependent on technology, increasingly relying on a wide range of services delivered by third parties”. For example, firms may rely on cloud computing services that are available as a utility and not delivered as part of a formal outsourcing arrangement. The FCA wants Solvency II firms o address this by maintaining and sharing a register of third-party arrangements.

The FCA’s proposals continue a trend towards making insurance companies accountable for impacts on customers that may be the result of failures beyond the strict corporate boundaries of an insurance company. They will require insurers to ‘read the road’ even more carefully than before, reducing the number of occasions when they can say ‘no-one could have seen this coming’.

---