Insurer authorisation and prudential rules

Get authorised as a dual-regulated firm

You cannot carry on insurance business without permission: effecting and carrying out contracts of insurance are PRA-regulated activities, so authorisation is led by the Prudential Regulation Authority, with the FCA's consent — you deal with both regulators from day one. Carrying on a regulated activity without authorisation is a criminal offence — see the consequences of unauthorised business.

FCA and PRA authorisation for insurers (FSMA 2000)

Effecting and carrying out contracts of insurance are PRA-regulated activities under FSMA 2000; insurers must be dual-authorised by the PRA (prudential) and the FCA (conduct) before writing business.

Effecting and carrying out contracts of insurance (article 10, with exclusions in articles 11–12, of the FSMA 2000 (Regulated Activities) Order 2001) are PRA-regulated activities under the Financial Services and Markets Act 2000 and the FSMA 2000 (PRA-regulated Activities) Order 2013. An insurer must hold Part 4A permission and is dual-regulated: the PRA for prudential soundness (Solvency UK) and the FCA for conduct.

The general prohibition in section 19 makes it a criminal offence (section 23) to carry on a regulated activity without authorisation or exemption — punishable by up to two years' imprisonment and/or an unlimited fine, with agreements made by an unauthorised person potentially unenforceable. Firms must satisfy the threshold conditions and maintain their permission on an ongoing basis.

Legal basis: FSMA 2000 (ss19, 23, Part 4A); RAO 2001 (art 10); FSMA 2000 (PRA-regulated Activities) Order 2013
Regulators: PRA (prudential) and FCA (conduct) — dual regulation
Regulated activities: Effecting and carrying out contracts of insurance
Permission: FSMA Part 4A permission; threshold conditions met on an ongoing basis
Unauthorised activity: Criminal offence (FSMA s19/s23) — up to 2 years and/or unlimited fine
Geographic scope: UK-wide

Bank of England / PRA — authorisation of insurers

Reinsurers are authorised the same way

Reinsurance — insuring other insurers — is itself effecting and carrying out contracts of insurance, so a pure reinsurer needs the same PRA-led Part 4A permission and prudential supervision. If you accept risk through the Lloyd's market instead, the market has its own structure — see accessing the Lloyd's of London insurance market.

PRA authorisation for reinsurance

Carrying out contracts of reinsurance is an insurance regulated activity in its own right; UK reinsurers are PRA-authorised and subject to Solvency UK.

Carrying out contracts of reinsurance is an insurance regulated activity in its own right under the FSMA 2000 (PRA-regulated Activities) Order 2013 and the Regulated Activities Order 2001. A UK reinsurer must be authorised by the PRA and meet the Solvency UK prudential regime.

Reinsurance is generally a business-to-business activity, so the consumer-facing conduct, FSCS and financial-promotions requirements that apply to retail insurers do not bite at this activity. Where Insurance Special Purpose Vehicles (ISPVs) are used for insurance-linked securities, a bespoke PRA authorisation route applies. The PRA scrutinises effective risk transfer, catastrophe-risk aggregation and (for life reinsurance) recapture risk.

Legal basis: FSMA 2000 (PRA-regulated Activities) Order 2013; RAO 2001
Regulator: Prudential Regulation Authority (PRA)
Prudential regime: Solvency UK
Nature: Generally B2B — no retail conduct/FSCS exposure at this activity
ISPVs: Insurance Special Purpose Vehicles have a bespoke PRA authorisation route
Geographic scope: UK-wide

Bank of England / PRA — insurance authorisation

Hold capital to the Solvency UK standard

Once authorised, your balance sheet is supervised continuously. The Solvency UK regime — the reformed successor to Solvency II — sets your capital requirements, governance standards and reporting to the PRA.

Solvency UK capital requirements for insurers

Capital requirements for UK-authorised insurers under Solvency UK regime (post-Brexit replacement for Solvency II).

Solvency UK (implemented 31 December 2024) replaced EU Solvency II with UK-specific capital requirements for insurers. Dual-regulated insurers must meet PRA prudential standards and FCA conduct requirements.

Minimum Capital Requirement (MCR) - Life: €3.7 million (~£3.14 million)
Minimum Capital Requirement (MCR) - Non-life: €2.5 million (~£2.12 million)
Minimum Capital Requirement (MCR) - Reinsurance: €3.7 million (~£3.14 million)
Solvency Capital Requirement (SCR): Calculated via Standard Formula or Internal Model
SCR coverage ratio requirement: Must maintain 100% SCR coverage at all times
Own Funds - Tier 1 requirement: At least 50% of SCR must be Tier 1 capital
Own Funds - Unrestricted Tier 1: At least 80% of Tier 1 must be unrestricted
Own Funds tiers: Tier 1 (highest quality), Tier 2, Tier 3 (lower quality)
Risk Margin reduction: 65% cut to risk margin (effective 31 December 2024)

Bank of England Solvency UK

Life insurers: ring-fence the long-term fund

If you write life or other long-term business, the assets backing long-term policyholder liabilities have their own protections — separation from general business, restrictions on use, and with-profits governance where relevant. If your pension products are used by employers for automatic enrolment, the qualifying-scheme requirements also apply — see the qualifying-scheme section of run an occupational pension scheme; the rest of that guide is for trust-based schemes.

Long-term (with-profits) insurance fund governance

Life insurers writing long-term business must maintain a separate long-term insurance fund, treat with-profits policyholders fairly, and obtain court approval for insurance business transfers.

A life insurer writing long-term business must maintain a separate long-term insurance fund and may not carry on general insurance business in the same legal entity (the composite split). The activity is PRA-authorised under FSMA 2000 Part 4A.

With-profits firms must appoint a With-Profits Actuary, maintain and publish their Principles and Practices of Financial Management (PPFM), and treat with-profits policyholders fairly under the FCA's COBS 20. Any transfer of insurance business between entities requires court approval under Part VII of FSMA 2000, with an independent expert's report and regulator involvement.

Legal basis: FSMA 2000 (Part 4A; Part VII business transfers); RAO 2001
Regulator: PRA (prudential), with FCA conduct oversight (COBS 20)
Fund separation: Separate long-term insurance fund; no general business in the same entity
With-profits governance: With-Profits Actuary; PPFM; fair treatment of with-profits policyholders
Business transfers: Court approval under FSMA Part VII (independent expert report)
Geographic scope: UK-wide

FCA — with-profits

Meet operational resilience requirements

Insurers must identify their important business services, set impact tolerances for disruption, and be able to stay within them — a joint FCA and PRA regime. Cyber risk is central to it: see cyber security for financial services firms.

FCA/PRA operational resilience requirements for financial services

Key deadline (31 March 2025) and core requirements for financial services firms including IBS mapping, impact tolerances, scenario testing, and third-party risk.

All in-scope financial services firms must comply with operational resilience requirements by 31 March 2025. This includes banks, insurers, electronic money institutions, payment institutions, investment firms, and certain other authorised firms.

The FCA has identified unregulated third-party issues as the primary source of operational incidents in 2022-2023.

Compliance deadline: 31 March 2025
In-scope firms: Banks, insurers, electronic money institutions (EMIs), payment institutions (PIs), investment firms, certain other authorised firms
Regulatory bodies: Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), Bank of England
Requirement 1: Important Business Services (IBS) mapping: Identify and map all services that if failed would cause intolerable harm to consumers, threaten firm's viability, or threaten market integrity/financial stability
IBS mapping requirements: Complete mapping exercise, identify all components (people, processes, technology, facilities, information, third parties), understand dependencies, document end-to-end service delivery
Requirement 2: Impact tolerances: Set maximum tolerable level of disruption for each IBS (hours/days downtime, regulatory metrics, financial metrics, customer impact)
Requirement 3: Scenario testing: Test whether you can stay within impact tolerances during severe but plausible scenarios
Scenarios must include: Cyber attack, loss of key supplier, loss of critical staff, technology failure, third-party failure
Testing methods: Desktop exercises, simulation exercises, live testing (where safe)
Testing frequency: Regular testing (at least annually for critical scenarios)
Requirement 4: Third-party risk management: Due diligence before engagement, contractual security requirements, ongoing monitoring, exit plans, cyber security standards for third parties
FCA recommended practice: TLPT: Threat-Led Penetration Testing - extremely effective tool for identifying unknown vulnerabilities
FCA baseline expectation: Implement NCSC 10 Steps to Cyber Security as foundational cyber security
Future consultation (H2 2025): FCA and PRA intend to consult on ICT and cyber risk management policy (likely DORA-style requirements)
PRA 2025 focus: Insurers' cyber resilience under spotlight (hold significant customer data, critical role in financial system)

Next steps

Work through your conduct-side duties in insurer conduct and accountability rules, make sure the shared duties in run a compliant insurance or pension business are in place, then confirm everything with the insurance and pension compliance checklist.

Insurer authorisation and prudential rules

Apply for FCA authorisation under Part 4A FSMA

Cryptoasset Business Regulation

Cyber security for financial services firms

Get FCA authorisation for financial services

Understanding UK consumer credit regulation

Get authorised as a dual-regulated firm

Reinsurers are authorised the same way

Hold capital to the Solvency UK standard

Life insurers: ring-fence the long-term fund

Meet operational resilience requirements

Next steps

Related guides in Financial Regulation Overview

Get authorised as a dual-regulated firm

Reinsurers are authorised the same way

Hold capital to the Solvency UK standard

Life insurers: ring-fence the long-term fund

Meet operational resilience requirements

Next steps