Morning everyone and welcome to our webinar. I'm Claire MacArthur, head of Technology, Resilience and Cyber here at the FCA. We're here to talk about Operational Resilience, and our new rules on third party and operational incident reporting. On the agenda we've got some introductory remarks from the Director of our Specialist Department, Mark Francis, and then we've got three presentations and there'll be time for questions and answers at the end of the session. Thank you to everyone who submitted questions ahead of the session. We've had lots come in. You can also post questions in the sidebar throughout the webinar and we will respond to as many of those as we possibly can, both the pre-submitted ones and the live ones, with the time available at the end. Now some of the pre-submitted questions we received are outside of the scope of this session, but some will be answered in the presentation section and others we'll cover during the Q&A. So without no further ado, I'm going to hand over to Mark. Mark Francis- Thank you, Claire. Thank you. Good morning, everybody, and welcome. Thank you very much for joining us today. So the 31st of March marked exactly one year since the end of the operational resilience transition period. And this feels like the right moment to take stock to reflect on the progress that firms have made, to be honest about the challenges that remain, and of course, to look ahead at what comes next. A year ago, firms had laid the foundations, they identified their important business services, mapped dependencies, set impact tolerances and tested against severe but plausible scenarios. And that work mattered then, and it still matters now. But preparation is only part of the picture, as we all know. The real test of resilience comes when disruption actually happens, and the threat landscape hasn't stood still. If anything, it has intensified. From increasing cyber threats and geopolitical tensions to firms' supply chains becoming more complex and interconnected, with firms more reliant on third-party providers than ever before. That reliance is growing alongside the pace of technological change. In 2025, we know that around 40% of cyber incidences reported to us involved a third party. That's a significant figure, and it reinforces why this agenda remains such a priority for us at the FCA. The more resilient financial sector is also a more competitive one. This resilience underpins innovation, market confidence and long-term economic growth. So that's not just a regulatory goal. It's good for firms, and it's good for the UK economy. To do our jobs well, we need good data. Consistent, high-quality information on operational instances and firms' third-party arrangements is essential, not just to support individual firm responses, but to give us the visibility that we need to spot emerging risks across the sector, and act early to reduce harm to consumers and markets. That's why working jointly with the Prudential Regulation Authority and the Bank of England, we've developed new operational incident and material third-party reporting policies. We've designed those policies together deliberately to provide consistency and to reduce the burden on firms as much as possible. That's why we're also joined today, and I'm really pleased to be joined today, by colleagues from both the Bank and the PRA. So, the focus of our new reporting frameworks is on collecting information that genuinely matters. Incidents and third-party arrangements that pose or potentially pose a real risk to our statutory objectives. A key part of our efforts as an organisation is to be smarter and more data-led regulator. We published our respective consultations on the 13th of December 2024. They closed on the 14th of March 2025. And I want to thank everyone again who took the time to respond, many of whom are in the webinar today. So, thank you all very much for taking the time and for your really constructive and insightful engagement through consultation. The feedback that we received from you shaped the final rules, which we published on the 18th of March this year. And firms have 12 months to embed them, but I'd encourage everybody not to wait to start that work. And obviously, in the meantime, if an incident occurs, please continue to notify us as soon as you're aware of it. So, today's webinar is an opportunity to hear more about those new rules, to share our observations from firms' self-assessments, and importantly, to help answer any questions that you may have. We want today's discussion to be as relevant and as helpful as possible for you, so you can get the most out of the event. The financial system is interconnected and when disruption occurs in one place, its effects can spread. Operational resilience, therefore, is strengthened when everybody plays their part. Firms, authorities and the wider sector are working together, sharing insights and reporting clearly and promptly. We've seen some real progress this year, but of course the work isn't done. Resilience isn't a one-off exercise, it's continuous improvement. And the firms doing it well are treating it in that way. So, let's get into it. Thank you very much again for making the time to be here this morning. I look forward to a rich conversation. And I will now hand back to Claire, the FCA's Head of Technology, Resilience and Cyber, and your chair for today. Thank you very much. Claire Claire MacArthur - Thanks Mark. So we've now got three presenters for you Helen Stone from my department in the FCA is going to talk through operational resilience and what we're seeing one year on from the March 2025 milestone. Joe Hall, a policy advisor from the PRA's Prudential Policy Directorate, and George Brewer, the FCA's Incident Response Manager, are also going to talk you through the new requirements in the rules that we've recently published, along with the PRA in the Bank of England. We'll be talking about the PRA's Prudential Policy Directorate, and we'll be talking about incident reporting. And then I'll come back and introduce the rest of our panel for this morning. And we'll take questions from the audience. Now, as I said, if you do have questions as we go along, please post them in the sidebar and we'll get through what we can. We'll only be able to answer questions that relate to the topic in hand this morning, which is operational resilience and reporting on operational resilience in third parties. We won't be talking about other FCA areas of focus or the regimes. So it'd be great if you could try and stick to that when you submit any questions. Thanks both. Hi, everyone. Helen Stone - So as Mark has said, we're now just over a year on from the end of the operational resilience transition period, 31st of March 2025. And by now, firms had to have completed mapping and testing and made the necessary investments so that they can remain within impact tolerances for each important business service. But how much of this is translating into how your firms run your business? How embedded is operational resilience? And how much are you thinking about your ability to remain within impact tolerance when you're looking at making changes to the systems you use or when taking on new third party suppliers? To the points on the slide, has operational resilience become a central part of your firm's risk frameworks and planning? Is your board involved in driving improvements in operational resilience? And are they getting the information they need to enable them to do that? Do you know what you would do if your firm was victim of a severe cyber attack or a significant outage at one of your third parties? And are your self assessments and discussions with your board clear on this if it's an area where you would struggle? Do they explain this clearly? And do your board know and understand what your firm would do in those scenarios? Mark Francis- So the idea of this section on operational resilience today is to give you a bit more colour so that when you discuss this in your firms, you're really able to talk about areas where you are already doing what you need to do and potentially some areas where you may need to do more to address some gaps in your firm's approach or where you may need to keep evolving to keep up with the developing external landscape. So in general, we've seen strong engagement and good progress across all areas of the rules and guidance and it's been encouraging to see how operational resilience has become a central part of many firms' risk frameworks and planning. And this has driven many firms to think about their own resilience and risks, striving them to rethink, innovate and adopt new practices. We're seeing firms testing the resilience and vulnerabilities of their third party providers and their supply chain more rigorously. And firms have started doing this jointly with their third parties. Some firms have invested in data vaulting and immutable backups, standby data centres and new processing centres to help ensure that they can recover important business services within impact tolerances and maintain critical operations following disruptions caused by cyber attacks. And boards play an important role in strengthening firms' operations and boards play an important role in strengthening firms' operational resilience. It's essential that they get the information they need in order for this to be effective. The self-assessment gives them this information to enable them to understand their firm's approach, who's responsible for it and the organisation's ability to recover those important business services within impact tolerance. We don't expect firms to include every piece of evidence in their self-assessment document, but it should be clear enough for the board to understand and decide what to prioritise and what they need to do to build and maintain operational resilience. Mark Francis- So, of course, as Mark said, the word didn't stop last March, we've seen some high profile incidents and outages over the last 12 months or so as well, which have helped reinforce the need for strong operational resilience. And we know that the most complex challenge that firms have highlighted through their self-assessments is to remain within impact tolerance in the event of a particularly severe cyber attack or a significant outage at a third party provider. And the better self-assessments explain this clearly and include information on what firms would do in these scenarios. So, we encourage firms to continue to address these by remediating individual firm-specific vulnerabilities and working collaboratively with industry groups. We published, with the PRA and Bank of England, we published effective practices on cyber response and recovery capabilities last year. And this is going to be a continued focus of our work this year. So, if we have a bit of a more in-depth look now at the progress firms have made, they have done a lot. We've been talking about important business services and impact tolerances for a long time now. And we've seen real progress in how firms are thinking about this in terms of the services they provide and the harm that could be caused by a disruption to those services. There are a few themes that have come through in our self-assessment reviews and discussions with firms that I thought useful to call out today. We looked across impact tolerances, mapping, testing, vulnerabilities, communications, governance. And what we see in stronger firms is coherence and consistency across those. They explain their decisions clearly. They use evidence from testing and incidents to refine those decisions. And they join activities up end to end and embed clear ownership and governance. And I think most importantly, they treat operational resilience as an ongoing discipline focused on reducing harm, not a one-off exercise. And all of this helps support robust decision making. Firms clearly explain how and why key resilience decisions are made, enabling effective board understanding and challenge. And across all of the areas we looked at, good practice is consistently characterised by firms being explicit about their methodologies and their rationale, their assumptions and thresholds that they're using. And their use of multiple data sources to support judgments. We've also seen positive approach to evidence-led calibration using testing and real world experience. Stronger firms are using scenario testing and real incidents to validate and recalibrate their impact tolerances, as well as their response and recovery options and communication strategies. They're expanding and evolving their scenarios year on year, as knowledge develops and as risks change. And they're incorporating lessons learned into their planning and governance processes. And the outcome of all of this is that judgments are refined using testing outcomes and real world experience, rather than remaining static. Thinking about an interconnected approach, firms are treating operational resilience as a joined up life strategy. Rather than a set of standalone activities. And this means that mapping outputs are used to identify vulnerabilities. Vulnerabilities are used to inform scenario testing. Scenario testing drives remediation and investment decisions. Remediation progress feeds into governance reporting and communications are embedded across testing, playbooks, business continuity plans. And then clear and robust governance links all of that together. And then in terms of the continuous improvement culture, we're seeing in the stronger firms operational resilience being treated as an ongoing discipline, as I said, not a one off compliance exercise. And some examples of good practice we've seen here are clear and regular view cycles, both kind of standard annual review, but also following material change. We're seeing acknowledgement of gaps, tractor mediation to closure, and an ongoing evolution of approaches as risks change and understanding increases. So in summary, good practice is really characterized by firms demonstrating operational resilience clearly, end to end, in a way that supports informed board challenge and decision making. But there is more to do, as we've laid out here. And when we look across the areas where firms need to strengthen, four themes really come through. Resilience judgments are sometimes too broad or unclear. Assessments don't always cover the full service chain. We're seeing assertions about operational resilience that aren't consistently backed by evidence. And then ownership and governance aren't always clear enough to drive challenge and remediation. And we see this sometimes with resilience being described at a high level, but not evidenced or connected strongly enough to support. Robust board assurance and decision making. And firms in this position should move from asserting that they're resilient to evidence that clearly, end to end, and in a way that enables boards really to challenge and prioritize. It doesn't mean at all that firms aren't doing anything. It's more that their judgments are stated, but they're not sufficiently evidenced. Coverage is partial. It's not fully end to end and joined up. And governance structures are present, but don't clearly drive challenge or accountability or follow through. So we'd really encourage firms to make sure that their judgments on resilience are clear. And this includes being clear about harms that would occur if an important business service were disrupted, and using that to define impact tolerance. But also avoiding unqualified claims about response and recovery options. You really need to have a clear view of what you would do in your disruption scenarios, and whether that is enough to recover before you hit an impact tolerance. And having thought fully about the impacts and the harms means that you will have much richer data to test against. So similarly we saw examples where key judgments about resilience were a bit too broad or insufficiently clear to support meaningful assurance or challenge. Again, thinking about different types of harm, consumer harm versus market integrity, for example. Thinking about the limits of resilience and what would actually cause harm or breach and impact tolerance. And then assertions about recoverability that are not well defined or evidenced in terms of how they would actually work in a disruption scenario. There's also an issue with mapping not being comprehensive enough. Self assessments don't also always reflect the full end to end service and dependencies. We saw firms who hadn't considered all components required to deliver important business. services leading to mapping that could be maybe over focused on technology, with limited coverage of people, processes, facilities, information and third parties. So it's really important to make sure that mapping covers everything that supports the delivery of important business services. And this includes going beyond technology. We know that firms initially struggled to really map out their third party landscape. We've talked to several firms about improvements that they need to make. This is a particular problem in thinking about third parties. You've got to know what they provide, where are the pinch points, and what would you genuinely do if they weren't available. And as it says here on this slide, asserting resilience is not the same as demonstrating it in a way that enables effective board assurance and challenge. So to sum up a bit, operational resilience is not static. Mark talked about how it requires continuous improvement. The external environment continues to evolve, and scenarios that seemed implausible in the past may now be more likely. Mark Francis- This underscores the importance of firms taking a dynamic approach, including regularly reviewing operational resilience measures. And firms need to continue to move beyond compliance and embed operational resilience into how they design products and services and more broadly into how they conduct business. So treating resilience as a core business capability integrated into strategic planning, product development and customer engagement rather than as a standalone exercise. Investing in operational resilience then helps drive long term growth and firms that prioritise resilience are better positioned to innovate, to attract customers and to support market confidence. Many firms have demonstrated maturity in governance to us, but all firms should continue to focus on this board engagement. They need to have robust frameworks and evidence based self -assessments if we're going to continue the sector wide improvement. Firms should continue to move beyond compliance and they should. As I mentioned, they should treat resilience as this kind of core business capability. In doing that, firms should assess their ability to remain within impact tolerance annually, but also how well they're prepared for and the impact of disruptions in the market they operate in and disruptions further afield. And this is key to maintaining that resilience in a changing landscape. And firms that prioritise resilience will help them not only meet regulatory expectations, but will also strengthen trust, protect their consumers and safeguard market integrity in the face of future disruptions. So I wanted to leave you with five key questions to ask yourself just before I hand you over to hear about the new reporting rules. When you think about your firm's approach to operational resilience, can you answer yes to all of these with confidence? So are your important business services and impact tolerances credible? Are they understood across your firm? Are they reflective of your business model and your potential harms? Do mapping, scenario testing and remediation provide the assurance that you can remain within impact tolerance? Does your approach to mapping and scenario testing cover your real vulnerabilities and test them to make sure your response recovery plans will do what they need to? Are your severe but plausible scenarios really testing what matters most? And if you have additional remediation underway, are your plans clear to the business and to the board? How will plans give assurance that you can remain within impact tolerance for all of your important business service? Do plans for incidents, business continuity, change and outsourcing explicitly consider important business services? Are you thinking about these when you're looking at incident management, change management, outsourcing, third-party risk management? Can your firm communicate and coordinate effectively during a severe but plausible disruption? Do you have a comms plan outlining what you'll do in the event of one of these disruptions? What if you can't communicate via usual channels? Does everyone know what they would need to do? And then finally, is your board actively driving and owning operational resilience? Is the board engaged? Do board members understand and agree with your plans to develop operational resilience and embed it further in the way you run your business? So all of this should then inform your view of how comfortable you are that your firm will be able to recover within impact tolerance in the event of a disruption. And if the answer to any of this is no, then that should be a real sign of where you need to be thinking about steps you need to take to get back on track. So there are a lot of linkages from what I've just gone through on understanding where your operational resilience relies on services supplied by third parties and on incidents, particularly those that are difficult to recover from. And this brings us nicely to our next section on our new rules on operational incidents and third party reporting. So I'm going to hand over to Jo Hall now from the PRA, who's going to talk about the policy. And how it applies to reporting on material third parties. And then George Brewer is going to talk about incident reporting. So over to you, Jo. Thank you. Thanks very much, Helen. So as Helen noted, I'm here to talk about the material third party side of things. And then I will hand over to George to cover incident reporting. So in designing the policy, we had three overarching outcomes that we've been aiming to achieve. The first is to gain a better oversight of the risks, which will allow us to better monitor and respond to operational incidents as they progress through their life cycle. Engaging with firms before they enter into or change their material third party arrangements or MTP arrangements. And by collecting data on systemic risks, which can help us make the CTP and more critical third party designation recommendations. Now, I understand that we have had a lot of questions about critical third party designation and the timeline to confirm. We cannot provide any designation timelines as this decision leaves with the Treasury. So second aim is to provide improved feedback to firms in the financial sector. So at a firm level, it's using the information that we receive to better engage with firms on their approach to incidents and material third parties and their overall operational resilience. And at a sector level, the policy will give us better ability to share trends and key risks on an anonymised basis. Finally, to address vulnerabilities on a more informed basis as well. So working with firms and the sector to tackle risks and vulnerabilities with the aim of improving operational resilience. To achieve this, we've taken a proportionate approach to the reporter requirements, limiting firm burden as much as possible by only collecting information on incidents and material third parties, which pose a risk to our objectives. Supporting interoperability by aligning as much as we can with international regimes, such as the EU's Digital Operational Resilience Act and the FSB's format for incident reporting exchange. Standardising reporting to improve data quality and to reduce that back and forth that you have with your supervisors and allowing firms to submit a single report via a shared portal to all the authorities with information then routed to the relevant authority or authorities if it's more than one. So what did we propose in the CP? In the consultation, we proposed three core requirements for incident reporting that firms would submit standardised data on any operational incident that meets our reporting thresholds. Material third party notifications requiring firms to notify the authorities before entering into or significantly changing a material third party arrangement. And the register submitting an annual register covering all material third party arrangements. So following the consultation closure, we considered the responses that we received and overall found that respondents supported the policy aims and the proposals for standardisation. However, concerns were raised about potential costs. There was sort of, they sought greater clarity on incident reporting thresholds and timings and asked for refinements to the data requirements for both incident reporting and material third party reporting. There are also requests for greater alignment across authorities, especially where it's the case for dual regulated firms. And so in response, we've made several important changes with the aim of reducing burden on firms whilst ensuring that the authorities receive the data that we really need. We've adopted a joint approach across the authorities, aligning definitions as much as we can. And we've also looked at fully aligning templates supported by a single technological solution to reduce duplication and cost. The scope of material third party reporting has been made more proportionate with exemptions for intergroup arrangements, which do not involve an external third party. Third country branches and for the PRA, smaller credit unions will only be in scope. We have also made the scope of incident reporting more consistent across the authorities with the scope of the FCA's enhanced reporting and the PRA's incident reporting aligned. For these firms, we have a more dynamic single form, which should be updated over the three phase process of an incident. To help firms focus on resolving an incident, we've also reduced the amount of information that we're asking for up front. The FCA has also introduced standard reporting requirements, dropping down from the three stage reporting process for about 90 percent of FCA solo regulated firms. And that's a big change and really a reflection of taking a proportionate approach. We've also added additional guidance to support firms on the consistent interpretation of the thresholds and materiality to help firms better understand when they need to report an incident or notifiers of a material third party or include it in their register. So moving on to what's in material third party reporting. As you can see, this slide sets out our final requirements for material third party notifications and the register. As we mentioned on the authorities have worked to further align the policies and provide further guidance for firms so they are clear on what and when they need to support, they need to submit on their material third parties. Additionally, we've made efforts to separate the register and the notification templates to provide firms with further flexibility on the data they report to us. Reduce the amount of data that we are asking firms to submit on their material third parties. And we've created a single platform for the submission of the register and the third party notifications, allowing firms to make a single submission to the authorities rather than making separate duplicative submissions to each authority. We consider that these changes will effectively limit the burden on firms and allow us to focus on only collecting the information that we need. So I'm now going to bring in George Brewer to go through the new rules on operational incident reporting and how firms should be approaching those. So George, over to you. Thanks very much, Joanne. Good afternoon, everybody. My name is George Brewer. I manage the FCA's incident response team. So it is my team that oversees the FCA's response to operational incidents in industry. My focus today is very much on what the policy means for you. So what has changed in the consultation, what the definition and thresholds mean in practice, and how you should report incidents when they do occur. Overarchingly, the policy will not stop incidents happening. They're, of course, inevitable. And it's not about replacing incidents in frameworks that you may already have in place. It's about providing more clarity on what to report, when to report, and indeed how to report. To give a sense of scale, we receive about 1,000 a year. These range from single-firm incidents to incidents or events affecting multiple sectors, like we saw a CrowdStrike, or indeed the space of cloud outages at the end of last year. From cyberattacks to failed technology to fire and flood, we see it all. Ultimately, more focused and consistent reporting helps us to identify risks earlier, reducing the unnecessary follow-up back and forth with you during crisis, and to engage you more predictably and proportionally during an instance. In terms of the FCA's wider strategy, these changes support our ambition to be a smarter, more data-led regulator, and in doing so, strengthen the resilience of the sector as a whole. So, on to the next slide. Let's take a deeper dive on what Joe has already set us out. When we consulted on the policy, you were clear about what it was most to you. You told us instant reporting needs to be proportionate, so firms are not reporting or reporting low-impact issues. It's practical, so it works for you in real-life, fast-moving, real-world conditions. And thirdly, that the rules should align across both the authorities, but also existing regimes. Because the rules apply to all firms, to become more proportionate, as Joe says, we've put in place a more dynamic reporting process. More on that, surely. But for most of the FCA's firms, we introduced a more streamlined reporting process. This is essentially a one-stop shop to report an incident to us, whether it's closed or ongoing. If the incident poses a risk to our objectives, we then may have to engage further. But for the larger firms, including those of you who are subject to our operational resilience rules, the payment service regulations, and most Joe-rec firms, we've retained the three-stage reporting process that you may already be familiar with. While firms in scope of that more enhanced process, as mentioned, is more dynamic. This is because we recognise that incidents evolve over time. Under our rules, firms must report an incident as soon as it's practical to do so. But firms can then provide updates and make it becomes clearer or if significant changes in circumstances, rather than when everything is known. On the line between the regulators, to be clear, it was always our intention to align. We've made that much clearer in the policy and the guidance. Crucially, as Joe introduced to, we have a shared definition of an incident. They've also set thresholds that should be met before reporting. But these thresholds are linked to our own objectives. For example, the FCA has a consumer harm remit. The period is not. So clearly, we need to differ there. Regardless, if you are too-regulated, you have to do one report, and that will go to both regulators if you need it to. On the line of this other regime, we've worked really hard to reduce the burden for you while lining into those frameworks. For example, FIRE and DOR. And specifically for payments firms, we have subsumed the payment service regulations in this policy. So come March 27, all payments-related incidents will report under this framework. And finally, being clear about the policy lets you work with incident frameworks that you may have already in place. This policy is about incident reporting and working with us. It's not about changing how we manage incidents internally. Moving to the next slide. At the centre of the policy, it's essentially a two-stage test. First, has an incident occurred and materialised? And second, has it met those thresholds to report? On the first test, an operational incident is an event that disrupts the delivery of financial services or brings the integrity of data that a firm holds others into question. We do not want firms to report incidents under this framework that was prevented or a near miss. We also don't want to report incidents that have no impact on financial services. For example, if your payroll system crashes, that wouldn't be reportable. But once the incident has happened, the second part of the test is whether the incident has met or reasonably poses a risk to our objectives. We want you to focus on the important incidents that matter, that are significant in scale, duration, or indeed impact, or are likely to cause harm to consumers or market participants. As mentioned, this is not a zero-toilness regime. This is not about reporting everything that goes wrong. It is how we're meant to be outcomes-focused. We have stayed away from metrics as harm can't be boiled down to numbers. Like our existing principle-leadant rules, it is for firms to assess what the incident meets a threshold, as firms are best placed to know their businesses, their services, their customers, their place in the market, and ultimately the impact of disruption. Crucially, we're not asking to reimagine the wheel. Many firms already have existing incident management frameworks in place. We do not need to introduce a new framework. We will want to use this policy and our guidance to reflect on it. Equally, the factors that we've provided for you to consider shouldn't result in a tick-box exercise every time an incident happens. It is guidance to provide clarity to you or what matters most to us. On the actual reporting of an incident, we know that in the heat of a crisis, information is missing and you're acting to put that fire out. We absolutely do not want you to stop taking the actions you need to contain and resolve the incident. And so we've tried to reflect that in the information we're asking from you, particularly at the outset. After reporting, firms in the enhanced regime should then update us after any significant change and keep us informed as situally evolves, including resolution. Finally, we want to be clear that where firms have existing supervisory relationships, you are absolutely free to utilise them, particularly for complex or fast moving incidents. It is then for you to report the incident as soon as practical thereafter, per the rules in the policy. So moving on to the timeline and next steps, we're really keen to give you the time you need to embed the new reporting framework confidently before the rules come into effect in March 2027. But what should you be doing now? Well, we reckon a few things. First, you should review your existing incident management processes. That could involve mapping your existing frameworks against the new thresholds and the guidance. Second, you make sure that your teams understand their roles in the crisis. And thirdly, you should seek to clarify escalation and decision making to enable you to report when you need to. For many firms, this should be about mapping and clarity, not redesign. And for many more, this policy helps you to take a better approach to incident management. It's not just about response and recovery, but about understanding your own processes and the impact disruption can have on those who depend on you. So to conclude, we think the final policy reflects what firms told us during the consultation, but it also speaks to the FCA's wider strategy to be a smarter, more predictable, and ultimately more proportionate and data-led regulator. Thanks, Beth. Thank you, George. And so now we'd like to hear from you. And it's great to see we've had loads of questions come in. We've also had a question about whether transcription and copies of the slides will be available afterwards. Yes, an on-demand video will be available shortly after the webinar for people to re-watch, and we'll send the link around. And the full transcription will be produced and made available within the next few days. So I'm going to introduce our podcast. We're going to introduce our panel, which includes the speakers that you've just met, as well as Joe George and Luke Vile, both technical specialists in the technology, resilience, and cyber department here at the FCA. And we're also joined by Richard Spooner, who's a senior manager in post-trade policy at the Bank of England. So, panel, I hope you're ready. We've tried to cover off most of the most popular questions. But we're going to start off with a topic close to my heart, cyber. So the FCA has spoken a lot recently about quantum cyber resilience. Why is this so prominent for regulators? And I'm going to hand this one over to Lou. Thank you, Claire. I think, first of all, it's probably right to say that quantum computing has the potential power to enhance and, in all likelihood, transform the ways that firms operate. But as with all evolving and emerging technologies, there will be risks to consider, as well as actions to take to mitigate those risks. Now, the key risk from quantum computing that NCSC, the National Cyber Security Center, have spoken about, is the risk that a viable, hostile quantum computer would be able to threaten cryptography. So that is to say that it could solve the mathematical equations that underpin current encryption. NCSC have also signaled pretty clearly that the migration for that key risk is for firms to migrate their systems to post-quantum cryptography. The FCA is not a national technical authority for cryptography, but I think we would support that. And the NCSC's quite detailed technical guidance that they published in March 2025 sets out very carefully what they recommend are the steps and stages for firms to go through in order to achieve that migration to PQC. That guidance was written, I think, for an audience of critical national infrastructure firms. But it's probably very relevant for all organisations considering that risk mitigation, that migration. There's a lot of work involved in making that migration. And I think that's why the NCSC's guidance is so helpful, because it focuses on the activities needed to prepare and, in particular, to plan, including developing an accurate understanding, setting migration objectives, and then implementing critical systems first, followed by non-critical systems. So to answer part of the question, the prominence is from, I suppose, an acknowledgement of the scale of work involved in PQC migration. But another part of the prominence is around the timescales involved. I think in October 2025, the PRA published a paper in which they said there is considerable uncertainty around how quickly a quantum computer will materialise. So that's another reason why NCSC's recommendation for planning now is key. It's been quite encouraging to see consensus form around the need to migrate critical systems, followed by non-critical systems. And there's also good consensus, I think, forming around the timelines involved. The G7 Cyber Experts Group roadmap on PQC, which the FCA and the Bank of England and the Treasury co-authored, acknowledges that different jurisdictions and standard-setting bodies, as well as other multilateral bodies, increasingly point to that timeline of 2035 as an overall target date for quantum-resistant cryptography migration for all systems, with, I think, in that case critical systems suggested to be migrated by 2030 to 2032, which overlays very neatly with the NCSC guidance. And that might sound quite far away, but it's really not. So I think there's an important pacing element to migration. So I think just to say directly that the rationale for that prominence on quantum resilience is based on an awareness that security and resilience leaders are already dealing with a lot, but the scale and the pace of the work involved is significant. And the time to start planning for that is now. Thank you, Luke. I've got a question that's come in on third country branches. I'm going to ask Joe, George, to come in on this one. Joe, the question is, how do the material third party and incident reporting rules apply to third country branches? Thanks, Claire. So this is something that Joe Hall just covered in a section, but I can repeat this. And it's also one area that we've made a big change as compared to the consultation paper. In the consultation paper, we did have third country branches in scope of notification reporting and of the register. We made a big change when we came out with the policy statement, which we may be excluded notification requirements for third country branches. So third country branches are only required to maintain the register of their material third party arrangement and submit that to us when we request. So that's a big change from the consultation paper as compared to the policy statement that we came out. If you need more guidance on this, it is also there within the guidance document that we published in F26.4 in Section 4. You'll find more guidance on third country branches. Back to you, Claire. Thank you, Joe. A really popular question that's coming in, and I'm going to send your way, Helen. What are your key observations and themes that differentiate truly resilient firms and merely compliant ones? Thanks, Claire. I mean, I think for this, I really can repeat what I mentioned about operational resilience really being embedded throughout firms, with everyone knowing what their important business services are, their place in supporting the delivery of those, the impact of disruptions, and then crucially, everyone knowing what they would do in a disruption. And I think partly we'll see this come through in self-assessments we receive and review, but it's much more fundamental than that. As we see this embedding of operational resilience into new product design, into change programs, third-party risk management, we should see both fewer incidents threatening to harm consumers and markets, but we should also see firms better able to deal with the incidents that do happen, resolving them long before the harms are caused. And if they can't be fully resolved, there'll be steps taken to ensure that intolerable harm doesn't occur. And I think this kind of really ties in with the work we're doing now on reporting what we're going to see coming through from that as well. Lovely. Thank you, Helen. The next question I'm going to send Richard's way, as it's a question on FMIs. How has the bank responded to consultation feedback on the proposals for FMIs? Thank you very much, Claire. So I would say, although our consultation respondents broadly welcomed the proposals, which, like the PRA and the FCAs, were targeted at the most impactful incidents and third-party arrangements to our objectives, one theme that we took away from them was around the burden and complexity of the proposals. And in particular, we heard concerns that without changes, the proposals could create duplicative reporting, be too complex to operate in practice, and also risk over-reporting, rather than focusing on the incidents and third-party dependencies that matter most for financial stability, which is our primary objective as a regulator, of course. So our response in the final policy has been to retain the core objective, which is around high-quality and consistent reporting, while making targeted changes to improve proportionality and reduce burden, particularly by removing overlap, simplifying templates, and also clarifying some of our expectations as well. So in respect of addressing duplication with existing requirements, a key concern was, are we going to have to report the same incident twice? And we've responded by reducing overlap with the existing incident reporting requirements. So IREP becomes the main route for reporting relevant operational incidents. So what this means in practice for our firm types is that for CCPs, we've included a consultation on revoking Rule 4 of the recognised Clearinghouse Rules instrument 2018, because it duplicates the IREP incident reporting requirements, so we will no longer need that. And then for systemic payment systems and specified service providers, we intend to amend and reissue firm-specific notices issued under Section 204 of the Banking Act 2009, to again remove a duplicative reporting requirement. For CSDs, it's a bit trickier, because the incident reporting requirement is set in primary legislation in UK CSDR. But we've provided guidance that reporting incidents under IREP will be taken to meet the existing reporting requirements in UK CSDR. And we've also said that we anticipate reviewing that requirement in due course when the CSDR framework is transferred into bank rules. The second thing that we did was to clarify our thresholds and expectations to avoid over-reporting of operational incidents. So this particularly noted to firms saying that the framing of the thresholds in terms of incidents that could disrupt financial stability or delivery of important business services risked encouraging a really conservative interpretation, increasing the likelihood of over-reporting. So we've responded by providing greater clarity on the incident reporting threshold, including amending the approach so the threshold is tied to an FMI's reasonable belief about whether an incident could meet the reporting criteria, aligning with the PRA and the FCA, and adding some supporting guidance to that effect in the supervisory statement. And at the same time, we've clarified the interaction with Fundamental Rule 4, which will take effect in July this year. As IREP only captures crystallised incidents, this reporting doesn't replace the need to disclose information the bank would reasonably expect notice of, which may include uncrystallised incidents. And neither does it remove our expectation of ongoing supervisory engagement during an incident, for example, through emails or phone calls. Though our intent is that the use of standardised templates will mean that we get more of the information that we need first time round. And we've also been clear that we expect prompt notification of operational incidents under IREP calibrated to take into account our supervisor's expectations. And then a final point, and this has already been discussed, is that in common with the PRA and the FCA, we simplified our operational incident reporting form, and we also made the third-party reporting process more streamlined. So, in short, we've reduced burden by removing overlaps, giving more clarity on the thresholds and interactions with existing requirements, and streamlined templates, while we hope also keeping the policy focused on collecting the information that we most need to support financial stability. Thank you, Richard. The next question I'm going to send to Joe Hallsway. In the incident reporting and material third-party reporting cost-benefit analysis, to what extent have you considered that firms would have to change internal processes to meet reporting requirements? Over to you, Joe. Thanks, Claire. We did consider how firms would approach this in judging the thresholds in order to determine what is a reportable incident and what isn't. I will say that, as we do know quite a lot, I think, in both the FCA and the PRA documentation, we are keen that firms do utilise their existing internal processes. We don't expect firms to do a complete overhaul of how they judge a material third party or an operational incident and whether it meets our thresholds. What we do expect is for you to, as part of your internal processes, determine the priority of that incident and the threat that that incident potentially poses and how that aligns to our thresholds and then report as necessary. So we don't want firms to do a full overhaul. Just make sure that when you are looking at your internal processes, are you considering whether it meets the thresholds to be either a material third party or an operational incident against the kind of guidance. We have set up quite a lot of guidance in the PRA's supervisory statements and the FCA's handbook guidance in terms of what is a material third party and what is a reportable operational incident. And I do suggest that you go and have a look at that to make sure that you understand exactly what we expect to be reported. As we do note, we've set the bar as high as we can and you should only really be reporting if you consider a third party to be material or if you consider that an operational incident has met the thresholds. Thank you, Joel. The next one is for Joel George. When will the first annual NTP register be due to be submitted on reg data? Thanks, Claire. Like George highlighted, the policy comes into effect on the 18th of March, 2027. So our first data request of your NTP submissions should come in at the end of Q1, 2027. However, before that comes into play, what we will do is we will organise drop-in sessions for firms to join so they can better understand the system and the reporting requirements. We're also currently running a pilot for a subsection of firms to test the systems to make sure that the system works well and also to gather any feedback from a selection of firms so that we can adequately answer any FAQs that may come at the back of that. So expect something to formally come to you at the end of Q1, 2027. Back to you, Claire. Thank you. The next one I'm going to send to George, as we. More specific to the new reporting rules, we've been asked about the interplay with GDPR reporting and the ICO and any different thresholds and timescales. George, can you come in on this? No problem. That's a great question and quite easy on to answer. So obviously the ICO is UK's data regulator when it comes to personal data breaches. Obviously GDPR, DPA, various guises, PCR or PECA. Obviously, in our definition of disruption or incident, we have financial services, but also where the personal data or information on third parties has been compromised. So not all incidents will mean that every location needs to go to the ICO, but this policy doesn't extinguish the responsibility on firms to engage the ICO when we do consider that personal data has indeed been compromised. As firms will know, they have same standards to do that to the ICO. So regretfully, this policy doesn't extinguish or infringe upon the ICO's remit, but it does run parallel to it. Hey, George. The next one is cyber-related again, so I'm going to hand this one over to Lou. Where does the FCA see the biggest cyber resilience challenges for firms? Thanks, Claire. I think we've said recently, I know Mark commented on this at the beginning in his remarks, that we consider that the finance sector is operating now in an environment of heightened cyber risk. Certainly, NCSC were very clear about that recently in their annual review last year in how they characterised cyber threats as intensifying. And I think that's important to say in this context because it acknowledges that cyber resilience isn't always straightforward. There is always more to do, and obviously our message to firms is to continuously seek to identify opportunities to strengthen their cyber resilience. But I think with regards to the sorts of areas that we most commonly identify as having the biggest cyber resilience challenges, there probably are some that I can point towards. First of all, when we work with firms to undertake supervisory threat-led penetration tests through our CBEST framework, we often identify weaknesses in the ways that firms manage the control of identities. For example, not having robustly defined or effectively enforced credentials management or just not closely managing privileged access users. And we've also observed firms not having sufficiently tuned monitoring controls. In other words, controls to detect potentially suspicious activity and be able to respond to it early. And also, we've seen firms have challenges in perhaps not sufficiently hardening their environments to begin with, such as not preventing potential threat actors from being able to exploit vulnerabilities or by carrying lots of unpatched or vulnerable assets or not having capabilities to effectively patch vulnerabilities that they have identified. That's a very short snapshot of a complex area. But for anybody that is interested in this question, perhaps in a bit more detail, I would direct them towards our CBEST thematic that we publish jointly with the PRA every year that summarises the findings from our CBEST assessments from the previous year. And I'm pleased to say that for the last three years, I think we've published that online for all firms to be able to review. And every year we do try to strengthen its usefulness to firms. But publishing it hopefully gives an opportunity for firms to read the insights into the most common cyber resilience challenges. And I think certainly for the last two years, we've also included insight on these areas from NCSC that hopefully make it more powerful. Thank you, Luke. Now, really closely linked to that topic is artificial intelligence. And the next question that's come in is on artificial intelligence and op-res. I'm going to ask Helen to come in on this one. Now, the question is, how should firms evolve their operational resilience frameworks to address the emerging risks and dependencies associated with agentic AI and machine learning? Thanks. So in line with kind of what we've said already, it's really at its most simple level. It's about understanding what you're using and what you're using it for before you start using it. And this is the same when you're designing any new product, bringing in any new technology to support the delivery of your important business services. And it fits really well within the parameters of our existing rules on operational resilience. So we know that AI can exacerbate operational risks, particularly when you think about how much or how little human intervention is possible in decision making, as well as the potential for errors, for biased inputs, for hallucinations. And AI tools could also be successfully used to facilitate malicious cyber attacks. So obviously, firms should be ensuring that their cyber mapping and testing explicitly considers AI-specific compromise scenarios. But we also know there are positives, right? The MCA has said publicly that we aim to enable the safe and responsible use of AI within financial services, realising the potential benefits of AI for markets and for consumers while balancing the risks. And as an example of that, we launched an AI lab last year, which is an example of how the FCA is working to bring regulators, firms and wider stakeholders together to better understand the strategic, the regulatory and the practical implications of AI and to support innovation. But just to think about where it fits within the operational resilience areas that we've talked about today, and this is a non-exhaustive list, firms will need to evolve their frameworks to incorporate not only where is AI used, but also to have real clarity on how much autonomy there is in those systems, where human intervention is, where decision-making sits between humans and systems. And thinking, for example, specifically about mapping, they need to consider the risks that are relevant to AI, which include dependency on data quality, model integrity and updates, reliance on third-party models, cloud infrastructure on embedded AI, and then these risks of hallucinations, bias, unexpected interactions. We probably haven't got time to say a lot more on that tier, but do have a look at our website for more on how the FCA can support testing and understanding in this space. Thank you, Helen. The next question is on reporting incidents. So I'm going to ping this one over to George. If firms want to start reporting incidents now, is the infrastructure in place to receive it at the regulator's end? Right. So obviously at the moment, we have principle 11, so firms should engage in an open, cooperative manner, and most of the incidents that we see are reported under that principle. At the moment, firms should continue to do so, to use the channels that they have open to them. So sub-fiftee notifications, engage with regulators, supervisors, and we manage it through that way. We obviously are building infrastructure for this. It'll be via Connect. All firms can access Connect. And as I mentioned earlier, any report that's submitted via Connect form will go to the regulators, the PRA, FCN, and the MIS. We won't be opening that solution until March 2027. We will be publishing on our website some guidance to help firms navigate that form. But I would just rate that there is plenty in the policy itself with links and annexes of the questions we'll be asking at what point, which lines largely to FIRE, in fact, often much less than FIRE. So I encourage firms to look at what it is that will be requested in those forms. It's currently being built. It will be ready for you from March 2027 when the rules come into effect. Thank you. We've got another question that's come in on cyber practices. I think we may have covered some of this. The question is, what most cyber practices should organisations be working towards? Luke, I think I'll come to you to cover off anything you've not already mentioned. Thank you, Claire. I get asked this a lot and I think it's a difficult question in some ways because we're aware that firms are on different journeys. They have different sizes and business models, different operations in relation to cyber resilience. But in our 2025 to 2030 strategy, the FCA set out that we would look to try to share more of our insights from our supervisory work with the sector to help enable more firms to learn lessons from the experience of others. So I think in that context, in addition to the CBEST-N-MATIC, which I mentioned earlier, I'm pleased to say that we've published actually some other sources of insight relating to cyber resilience in the past 12 months, I think. I can talk a bit more to those. So firstly, with regards to the effective practices paper that Helen mentioned in her section earlier, that publication, which is a joint publication with the PRA, we set out observations on effective practices relating to cyber response and recovery capabilities. And we described how mature firms had worked to focus on simulating really quite destructive scenarios caused by, again, quite highly capable threat actors. They widened the scope of some of their testing to include a variety of resources that supported multiple important business services, and especially involving challenging their plans for things like how they would communicate externally in such a crisis. And we also set out a little bit more about how firms had worked to develop immutable backups to create bare metal rebuild capabilities. So that is the capability to rebuild all aspects of a system, including operating systems, applications, data from scratch, without having to rely on potentially compromised backups or infrastructure. And the paper goes into a lot more detail and talks to other areas of effective practices, but I strongly recommend people to read it to identify what practices they can apply. The other publication that I've mentioned actually is too are the published insights that the FCA has collected in 2024 and again in 2025 from our cyber coordination group program, the CCG program. And very briefly, for anybody that's not aware, the CCGs bring together about 140 different firms in sector-specific groups to discuss topics that are particularly challenging or particularly topical. And we've committed to aggregating those discussions into themes and to publishing them so that all firms can benefit from reading about the wins, but also the challenges that go into them that CCG members had encountered. And the topics that we've published include practices relating to threat and vulnerability management, emerging technologies, incident response, the CMORG reconnection framework, as well as insider risk management. And in the most recent insights paper, which I think actually was only published last week, there are some really interesting effective practices, in particular on insider risk, such as how securing senior management engagement for insider risk can be achieved and how it can drive more confident and effective insider risk management and how creating cultures of trust and transparency with all uses in fact leads to more reliable insider risk outcomes. So I point people to those publications in particular. Lovely. Thank you, Luke. The next question I'm going to send to Joe Hallsway. Joe, could you please elaborate on your expectation for incident reporting where the incident occurs at a third party and information like the details, severity or the impact might take longer than 24 hours to make a judgment on to be able to report? Yeah. Thanks, Claire. Yes. So we do expect firms to report an incident at a third party. We have set the reporting requirements out for firms to provide more detail over a longer amount of time. Where an incident is occurring at a third party, we understand that firms might have limited information at the beginning. However, you do need to make a judgment on the incident and how it's impacting you as soon as you can and inform us as soon as you can. Now, the third 24 hours is an expectation. If you think you're going to go over that, you know, do inform your supervisor. But we do expect you to understand what is the impact on you. You may not know what's going on at the third party, but you know the impact on your own deliveries and your own ability to deliver services. When it comes to actually providing the information, we step up the information over the course of the life cycle. So as you'll have seen from the template that we published, we ask for a very small amount of information at the start. So if you don't know everything, you should be able to at least tell us what it is and when it occurred and when it impacted you. And then as the time goes on and the incident progresses in its life cycle, you provide more information over time at the intermediate and final stages of that. And we expect you to go to the third party and get that information from them. Obviously, making sure that you are focusing on resolving the incident and dealing with the impact of that incident as a priority. Thank you, Joel. The next question I've got to send to you, Richard. From a supervisory perspective, how do you intend to use incident and third party reporting data and what signals would indicate that the firm are genuinely embedding the regime into risk and resilience decision making rather than simply meeting reporting obligations? Thanks very much, Claire. So we anticipate using the information to inform our response to live incidents, both in terms of giving us the information we need to inform our response and our assessment of firms responses, of course, and also in our understanding of any interconnectedness that might exist. For example, if there were an issue affecting a third party used by one FMI that we know was also relied upon by another FMI, but perhaps an incident hadn't been reported yet, we might go and speak to that FMI as well and say, you know, is there a problem there? But we'd also want to use it for more thematic analysis, both in relation to vulnerabilities for individual FMI and also across the sector. And that's why the final part of the incident reporting template includes an assessment of the root cause of the incident. So I guess that might relate a bit to the second part of the question, which is to say that if we saw the same or similar incidents emerging as a given firm over time, we'd expect them to address the issue and we would use our supervision to achieve this and ensure that firms took steps to address any vulnerabilities. And that would help make sure that it wasn't simply a case of firms reporting an incident without actions being taken intervention to remedy the root causes that we were seeing. The next question is on PSD2. I'm going to come to George to take this one. How do the new operational incident rules intersect or replace the major operational incident reporting thresholds and requirements that were previously embedded through delegated legislation under PSD2? Yeah, thanks, and obviously a lot of feedback we received after the conversation was do more to try and bring regimes together, align. We did lots of work on this because we understand under the current regime you have to report PSD2 incidents as well as perhaps so what we've done let's say subsumed that into this policy. So we've essentially disapplied the EBS guidelines into reporting under the PSDs as issued in July 2017. So PSD2 should now have regard to the definition of an incident and notification thresholds under this regime and in doing so you should have regard to the factors that we set out in National Guidance 26.3 when assessing whether those incidents meet the notification thresholds. We suspect that PSDs will already have those metrics set up and will track and manage those under the current reporting regime. We encourage firms to use those metrics to inform themselves about whether the incident is notifiable under this regime and we ask some information in the natural templates themselves. So really a lot of what they're trying to negate the impact on you to report incidents and I say for March 27 you won't be submitting by the PSD unification route it would be via this route. Thank you George. The next one is for Joe George. What and how much information is required on the third party register and will there be a template? Joe. Thanks Claire. We published a template within the policy statement. The template is also the NTP register template is also available within the guidance document that we published. However, we also understand that firms may not always be going back and referring to this. So when the NTP register requirement comes in from the red data platform, you will also get a copy of that template available to you so that firms can complete that and submit that within the 90-day period that is required there. But additional guidance in terms of what data is required within the template and how to fill out the data fields, we've kind of gone into a lot of detail within the guidance document that is published along with the policy statement. So I'd recommend that everybody refers to that when you are populating your template. Thanks Claire. Thank you. The next question is will FCA publish incident reporting information where third parties have multi-firm impact? I'm going to send that one over to George. Yeah, so for incident reporting, we intend to use the data to be more data regulated as part of our ambitions to be more proportionate and predictable. The data we'll be receiving from across industry persistently will help us feed back to you on some of the trends we're seeing, some of the concerning root causes to help you then take back to your board and say, look, this is what industry has seen, benchmarking ourselves against that, then driving that conversation at the board to ensure you're doing everything you can to ensure you see it's going forward. As part of that, we're putting root causes on there, we'll be looking at timescales to resolve, all that good stuff that's contained in the templates to help those drivers' conversations and work towards the more resilient cultural services sector. Thank you. We've got one here for George again. Could you briefly touch on intergroup systems, sometimes based in other European countries, and if these are considered to be material outsources? intergroup Thanks, Claire. Like we highlighted in the policy and the guidance document, we do consider intergroup arrangements or some intergroup arrangements to be material, so you need to go back and refer to the materiality definition to determine whether something is material or not. However, to reduce regulatory burden on firms, we've excluded intergroup arrangements from our notification requirements, both for the register and for the notification would be limiting intergroup arrangements, which have a third party dependency. So if your intergroup arrangement has a third party dependency, then it's in scope of reporting. But if there is no third party dependency and you're only dependent on another European entity of the same firm, then you don't have to report that. But in terms of a risk perspective, would have to look at the risk and accordingly manage that third party arrangement. So intergroup arrangements are as risky as an external third party arrangement, but from a reporting perspective, if there is no third party dependency, you don't have to report it. Back to you, Claire. Thank you. I'm going to come to Joe Hall for the next one. Bear with me a second. How did it line up? Sorry, bear with me one second. The pressures of live TV. Here we go. Are firms expected to hear back from regulators after submitting the material outsource notifications through the new channel? Would these be shared with supervision teams? And how would that communication and sharing of information work between authorities with dual regulated firms? Thanks, Claire. I think that's quite a multifaceted question, so I'll take it one by one. It's a tricky one, Joe. Take it. Take it. Take it. So for the first question, so I want to make clear that this is not an approval process. So if the regulators don't have any further questions regarding your notification, we may not respond to you. It may be that we have no questions and you will not hear from us. If we do have questions, we will come back to you in order to ask more about the arrangement and just check that the risks are as part of that. They will be shared with the supervisory teams, so it will be your supervisory team that contacts you and information will be shared across the PRA and the FCA for dual regulated firms. So we will all have access to the exact same data and we will contact you. Obviously, it will be your individual FCA and PRA supervisory teams, but we will be working together to make sure that we get back to you with questions and that it is as coordinated as we can make it. But just to, again, reiterate, it's not an approval process so you won't hear back from us every time. But we will make sure that we do get in touch with you if we do have any further questions. Thank you, Joel. The next question is for Helen. What does effective and thorough scenario testing look like from the FCA's perspective? Thanks. So I'm sure everyone knows the rule that in carrying out scenario testing, firms must identify an appropriate range of adverse circumstances of varying nature, severity and duration relevant to their business and risk profile and consider the risk to the delivery of their important business services in those circumstances. I think it's really actually key to think about whether you're covering all of those things. Are you thinking about varying nature and duration? Are you thinking about your own business model and risk profile? But I mentioned about this kind of interconnectedness point and how it's important that mapping informs you on your vulnerabilities. Those vulnerabilities can inform your scenario testing as part of this joined up thinking on operational resilience. And I also talked about not overstating or overestimating your ability to recover. So when you're thinking about how you would respond to a particular disruption or scenario, it's really about testing that those response activities will do what you need them to and will prevent that intolerable harm to customers or threats to market integrity from occurring. So if it involves manual work arounds, how credible are they genuinely? How long can you maintain them for? And this is one of the reasons that we think it's important to think about metrics other than time when thinking about impact tolerance. And so it helps understand your real capabilities to prevent these harms. using the options that you really do have at your disposal. And it also includes really thinking about how you'll communicate with the relevant people and teams across your firms as well as with external stakeholders. So having that fully joined up thinking in terms of how you're designing the scenarios, who you're involving in the testing and what assurance you get from that testing. and then also kind of embedding into that how you'll communicate with the people you need to is really important so that everyone, as I said earlier, everyone knows then what to do if one of these disruptions does occur in real life. Lovely. Thank you, Helen. We've got another question that I'm going to send your way, George. Can banks implement their own framework for assessing whether an operational incident has met their thresholds and take that as operational incident reporting criteria to the FCA under the FG 26.3? Yeah, absolutely. And I've got trouble that earlier, but absolutely. And not just the banks or any related firms and obviously regulate multiple thousands of them. It is for you guys and firms knowing their business models, knowing the services they provide their customers to assess whether the incident that happens within infrastructure is reportable to us. Now, you may want to choose to take various data points that you've set up or create more based on the factors that we put out in the guidance, but we don't want the guidance to be a tip box exercise. So when it's happened, you're going to reach one and going, have we considered this? It's up to you to take the guidance you provided and make sure it works for your business and your incident response. Firms may want to actually just elaborate or build upon what they've really got in place. So for example, if you run a gold, silver, bronze command or P1, B2, B3 type structure, you may want to consider that, right, do these types of classification, these severities, should we use those as a guideline for to report to the FCA? You may want to also think about your IBSs or how much of your ITILs can be consumed. We can't mandate or legislate for every single firm, so we're really turning on to you guys to do what you think is right. I mean, report to us as you see there. Lovely. Thank you, George. And unless we have any other questions, one more has come in. This one is for Joe Hall. To what extent does the FCA and PRA engage with other regulators when developing policy? Yeah, that's a very interesting question. So we obviously do speak to other regulators within the UK to double-check. Anything that we're implementing doesn't go against their policy, particularly for firms. We also work with regulators in other jurisdictions as well. So, for example, we did speak to the EU and those that are running the DORA side of things, and also other standard setting bodies, so the FSB and the IAS, to make sure that everything that we're developing is in line and making sure that we are aware of any other policies that are coming out that firms, particularly those that operate across multiple jurisdictions or within the UK, operate across multiple and are subject to other regulations, need to deal with. So you shouldn't have too many policies that you have to deal with at the same time, and also to make sure that nothing that we're doing goes against any other policy as well. So we do make sure that we engage with other regulators as we develop to make sure that we're not over putting too many regulations on our firms. Okay, so I think we pretty much covered all of the questions that we've received today. We do have one final question, which is for me, and I thought as chair I got away with that without having to answer any questions, but this one is, will you host another webinar next year on GoLive? GoLive. Well, we don't make any promises, but let's just say we'll be looking into how to best engage with industry over the next year. So watch this space. So I'd like to say thank you to everyone who has dialed in today. There were thousands of you who registered for the webinar, and we're really delighted that we've had so much engagement from you all in this really important policy. I'd also like to thank the speakers and the people behind the scenes who've been feeding me with questions to fire at them. And it therefore leaves me to wrap up our webinar for this morning. Thank you all again for listening. And goodbye from us. Thank you.