• Whitepapers  >
  • Navigating the New Frontier: The 2026 PRA and FCA Material Third-Party Regime

Navigating the New Frontier: The 2026 PRA and FCA Material Third-Party Regime

Published on: 27/04/2026 00:00

The regulatory landscape for operational resilience (OR) has undergone a significant upgrade. On 18 March 2026, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) published their final Policy Statements (PS7/26 and PS26/2) on a unified and enhanced framework for reporting operational incidents and Material Third-Party (MTP) arrangements, the latter of which we discuss here.

With the rules set to come into force on 18 March 2027, firms now have a critical twelve-month implementation window to align their Third-Party Risk Management (TPRM) programmes with these heightened expectations. This shift moves beyond traditional “outsourcing” to a broader, more holistic view of the third-party ecosystem, and is in line with our views on more holistic Third Party Management (TPM) – see our TPM whitepaper.

The link with incident reporting is also interesting and is driven by the fact that the largest segment of incidents reported to the regulators related to third party relationships. There is no doubt that the regulators are increasingly concerned about the robustness of TPRM across the industry, both at an individual firm and systemic level. 

The Expansion of Scope: From Outsourcing to MTPs

For years, regulatory focus was primarily fixed on “material outsourcing” with TPRM covered under OR and with light touch reporting of MTP’s. The new 2026 regime fundamentally expands this scope and dramatically raises the bar on MTP reporting, including evidentiary and auditability requirements. A Material Third-Party (MTP) arrangement is now defined by the potential impact of its failure, regardless of whether the arrangement is “outsourcing”  or simply an external dependency (e.g. an external data provider).

The significance of this change is illustrated by a very common situation. Consider a firm that relies on an external data source for AML due diligence (e.g. a consolidated database of consolidated sanctions, PEP and adverse media), but which carries out the actual due diligence activities in house. Prior to the new regime, the external data source would not have been considered as material outsourcing. While certainly material (enabling the firm to comply with its regulatory obligations), it isn’t outsourcing, as the firm does the processing. Under the new regime, the data provider would be a Material Third-Party.

Crucially, this now explicitly captures non-outsourcing arrangements, such as:

  • ICT Infrastructure: Cloud storage, data centres, on-premises IT and cybersecurity services.
  • Advanced Technologies: Critical software-as-a-service (SaaS) platforms, AI models, machine learning libraries, and proprietary data feeds.
  • Critical Business Services: brokerages and client introducers, customer screening, custodians, data analytics and management.

If a disruption to these services could cause “intolerable levels of harm” to clients or threaten the ability of the firm to meet threshold conditions, or threaten stability of the UK financial system, any TP arrangements would be deemed “Material” and subject to the new notification and reporting requirements.

Key Obligations: Accountability and Transparency

The new regime introduces two core pillars of obligation for firms:

  1. Unified Notification: Firms must notify their regulator of any new MTP arrangement, or significant changes to existing ones, via the FCA Connect platform. This must be done during the decision-making phase, before the firm is contractually or operationally committed.
  2. The Annual MTP Register: Firms are now required to maintain and submit a comprehensive annual register of all MTP arrangements. This register must include, inter alia, details on the nature of the service, the data handled, and the results of recent (financial, operational and cyber) due diligence.

Critical Internal Actions

While firms will (should) have covered TPRM as part of the OR compliance, the new regulations demand a high level robust evidence sufficient to satisfy the scrutiny of an independent audit. Accordingly to ensure compliance by the March 2027 deadline, firms should initiate the following actions immediately:

  • Comprehensive Mapping and TP Analysis: Identify every third-party dependency, including “n’th party” risks (sub-contractors) that underpin your important business services.
  • Materiality Re-assessment: Ensure your internal materiality criteria fully reflect the regulatory definitions and that these are faithfully applied to the TP population. 
  • Governance Integration: Boards must take accountability for the MTP register and indeed TPRM as a whole. This is no longer just a procurement or IT task; it is a core governance responsibility that requires senior management sign-off. 
  • Process and Systems Enhancement: TPM processes and systems across the whole TP lifecycle must be reviewed and enhanced given the new and increased notification and auditability 

The Value of External Advice

As firms navigate these complex changes, independent external advice plays a pivotal role in bridging the gap between regulatory theory and operational reality. At Pathlight, we assist firms in several critical areas:

  • Policy and Procedure Refresh: We help firms update their TPRM and Operational Resilience policies to incorporate the new MTP definitions and notification thresholds.
  • Independent Gap Analysis: We provide an objective evaluation of your current third-party inventory against the new requirements, identifying “hidden” material arrangements that may have been overlooked.
  • Board Training and Assurance: We offer tailored sessions for senior management and Boards to ensure they understand their personal accountability under the new regime.
  • Implementation Support: From configuring reporting templates for FCA Connect to conducting “dry-run” incident reporting exercises, we ensure your team is ready for the March 2027 go-live.

Moving Forward with Confidence

The 2026 MTP regime is a clear signal that regulators expect firms to have a “single version of the truth” regarding their external dependencies, and to robustly manage the related risks. While the implementation effort is significant, it provides a unique opportunity to build a more robust, resilient, and transparent business.

By taking proactive steps now – and leveraging expert advice to validate your approach – you can ensure that your firm meets the new standards not just as a compliance exercise, but as a strategic advantage.



    Download whitepaper

    To download the full whitepaper, please enter your details below: (*required)

    DOWNLOAD WHITEPAPER