Operational resilience insights for insurance firms

We asked a sample of firms about our rules for strengthening operational resilience. Use our observations to review your firm’s approach.

Actions for insurance firms

Ensuring the UK insurance sector is operationally resilient is important for consumers, firms and financial markets. On 29 March 2021, with the Bank and the Prudential Regulation Authority (PRA), we published a shared policy statement on requirements to strengthen operational resilience in the financial services sector.

Our rules and guidance came into force on 31 March 2022.

Now that this date has passed, if your firm is in scope you must have:

identified your important business services
set impact tolerances for the maximum tolerable disruption, and carried out mapping and testing to a level of sophistication necessary to do so
identified any vulnerabilities in your operational resilience

We encourage firms to review the observations below and consider how your own preparations have aligned with our observations.

We expect all in-scope firms to address any remaining gaps or shortcomings in their operational resilience frameworks, and meet all obligations under our rules, by 31 March 2025.

Firms that are in scope

Our rules and guidance apply to all Solvency II insurers. Insurance intermediaries may also be in scope where they meet the definition of an enhanced scope SM&CR firm. The observations from our review will therefore be relevant to both Solvency II firms and insurance intermediaries where they are in scope of the policy, and of interest more broadly to other firms in the sector.

These rules do not apply to EEA firms. This includes previously incoming EEA firms who have now entered the Temporary Permissions Regime (TPR) or Financial Services Contracts Regime (FSCR). We have also added provisions to the rules in our Handbook to clarify that overseas firms are not in scope.

If your firm is in scope, you should consider our observations and how they apply to your own activities. This will help you identify where there are gaps or weaknesses in your current approach, and to consider actions you may need to take.

Please note that these were our initial observations based on a small sample of firms. They did not constitute guidance or a summary of our rules. The full requirements are in PS21/3, SS1/21 and accompanying documents published on 29 March 2021.

Our sample of 47 firms

We requested information on a voluntary basis from a sample of 47 firms to assess how they had responded to our final operational resilience rules and guidance. This included insurers and intermediaries from the wholesale, retail and life insurance sectors.

For dual regulated firms, we reviewed and analysed this information in collaboration with the PRA.

We assessed the answers provided on these 3 criteria, taking into consideration the PRA’s and FCA’s statutory objectives:

the reasonableness of the important business services and impact tolerances selected
consideration of consumer harm differentiated by product type or distribution channel
consideration of consumer harm according to customer type or vulnerability

Key observations

Across the range of answers provided, we were able to identity key components that allowed us to form a view of the firms’ readiness for the upcoming rule changes.

Examples of good practice

It was encouraging to see that some firms demonstrated a clear understanding of our rules, including firms that:

identified all the important business services expected for the firms’ business model
considered possible harms at each point of the customer journey including purchasing, amending and renewing a policy, as well as the ability to make a claim or a complaint
provided considered examples of the types of harm a consumer may experience, differentiated by:
- product type
- customer profile
- distribution method
provided carefully calibrated tolerances with accompanying rationales and possible alternatives
correctly identified that no intolerable harm arose from their services being unavailable as similar products were available and easy to substitute
considered the expectations to consider the impact on:
- the financial stability of the UK economy, in line with section 3.15 of PS6/21
- safety and soundness and policyholder protection, in line with section 2.5 of SS1/21 (observation specific to dual regulated firms)

Areas for improvement

We also noted areas that required further improvement, including firms that:

did not demonstrate an understanding of the FCA and PRA guidelines or had not yet applied them fully to their operational resilience programmes
did not identify important business services that would reasonably be expected for the firm's business model or included internal or irrelevant businesses services
identified important business service areas inconsistently between internal departments without rationale or justification
did not consider consumer harm from being unable to purchase, amend or renew products
applied unsuitable answers to services underpinning both corporate and commercial products without consideration of the end user
did not meaningfully consider the impact of unavailable important business services on vulnerable customers
appropriately identified high levels of consumer harm due to an unavailable important business service but set impact tolerances that seemed comparatively lenient
provided broad or generic answers that had been applied across all identified important business services or impact tolerances
copy-pasted the impact tolerances relating to intolerable customer harm for those relating to financial stability, safety and soundness and policyholder protection without appropriate rationale (observation specific to dual regulated firms)
selected extremely short impact tolerances (without recognising their practicality) or extremely long impact tolerances (by ignoring the reputation and other consequences of operational disruptions)
misunderstood our definition of internal services or included internal services among the list of important business services

Operational resilience

Russian invasion of Ukraine: operational and cyber resilience

Page updates

31/03/2022 : Information changed To reflect that our rules and guidance came into force on 31 March 2022

Operational resilience insights for insurance firms

On this page