Content Options:

Content Options

View Options:


You are viewing the version of the document as on 2025-11-03.

CTPS 8.1 Initial incident report

CTPS 8.1.1 R

1A critical third party must, as soon as is practicable after the occurrence of a CTP operational incident and in so far as it is aware at the time of submission, submit the following information about the CTP operational incident:

  1. (1)

    to the regulators and to affected firms:

    1. (a)

      a description of the CTP operational incident, including:

      1. (i)

        the nature and extent of:

        1. (A)

          the disruption to systemic third party services; or

        2. (B)

          impact to the critical third party’s operations;

      2. (ii)

        the time when the CTP operational incident was detected (and, if different, the local time in the location where the CTP operational incident was detected);

      3. (iii)

        the name and number of systemic third party services affected;

      4. (iv)

        the geographical area, including the jurisdictions, affected by the CTP operational incident; and

      5. (v)

        if known, the cause of the CTP operational incident;

    2. (b)

      contact details of any individual who is responsible for communicating with the affected firms about the CTP operational incident;

    3. (c)

      details of any initial action taken or planned in response to the CTP operational incident;

    4. (d)

      the anticipated amount of time it will take to resolve the CTP operational incident, including the anticipated recovery time for each systemic third party service affected; and

    5. (e)

      any other information the critical third party reasonably considers relevant to the affected firms and the regulators in making an initial assessment of the CTP operational incident’s potential impact on affected firms; and

  2. (2)

    to the regulators:

    1. (a)

      the names of the affected firms;

    2. (b)

      the names of any other regulatory body or authorities (other than the regulators) that have been notified of the CTP operational incident; and

    3. (c)

      any other information that the critical third party reasonably considers will assist the regulators in making an initial assessment of the impact the CTP operational incident could have on the stability of, or confidence in, the UK’s financial system.

CTPS 8.2 Intermediate incident report

CTPS 8.2.1 R

1A critical third party must, as soon as is practicable after any significant change in circumstances from that described in the initial report submitted under CTPS 8.1.1R (Initial incident report) and any intermediate incident report already submitted under this rule (including the CTP operational incident being resolved) and in so far as it is aware at the relevant time, provide the regulators and the affected firms with information further to that already disclosed in relation to the CTP operational incident, including but not limited to:

  1. (1)

    any information that the critical third party reasonably considers will assist the regulators and affected firms in understanding the nature and extent of the CTP operational incident;

  2. (2)

    any steps taken to resolve the CTP operational incident;

  3. (3)

    if the CTP operational incident has been resolved, the time and date it was resolved; and

  4. (4)
    1. (a)

      any other information the critical third party reasonably considers to be relevant to affected firms; and

    2. (b)

      to the regulators only, any other information the critical third party reasonably considers to be relevant to the regulators.

CTPS 8.3 Final incident report

CTPS 8.3.1 R

1A critical third party must, within a reasonable time of the CTP operational incident being resolved, provide the regulators and the affected firms with the following information in relation to the CTP operational incident:

  1. (1)

    the time and date that the CTP operational incident was resolved;

  2. (2)

    a description of the root causes (in so far as it is aware at the time of submission);

  3. (3)

    a description of any remedial actions the critical third party has or is planning to put in place and an estimated timeline for the completion of those remedial actions;

  4. (4)

    a description of the critical third party’s assessment of:

    1. (a)

      the likelihood of recurrence of the CTP operational incident; and

    2. (b)

      the long-term implications of the CTP operational incident;

  5. (5)

    a description of identified areas for improvement for the critical third party and, where relevant, the affected firms; and

  6. (6)
    1. (a)

      any other information the critical third party reasonably considers to be relevant to affected firms; and

    2. (b)

      to the regulators only, any other information the critical third party reasonably considers to be relevant to the regulators.