Subscribe

Request a proposal

Portals

Contact us

Contact us


Mind the gap: When did you last get real regulatory reporting assurance?

Abstract red architectural panels representing structure, controls and risk under Solvency UK

5min read

Subscribe to our insights

Receive articles and publications from our experts.

Stay updated

Please sign up to receive insights, publications and updates from our experts.

Subscribe now

Recent developments in the UK insurance market make this question particularly timely.

Enforcement action and the transition to Solvency UK since 31 December 2024, have brought renewed focus to the quality of solvency reporting across the UK insurance market and revealed some significant assurance gaps.

The Prudential Regulation Authority’s (PRA) £10.6 million fine for material errors in regulatory reporting against Direct Line Group in March 2026, is a stark reminder of the risks. 

What has changed?

The quiet removal of mandatory SFCR audit and its consequences

Since 15 November 2018, the PRA has exempted insurers meeting the definition of a “small firm for external audit purposes” from mandatory SFCR audit requirements in the UK. This change removed external audit obligations for more than 150 firms and groups across the UK market.

Crucially, although the audit requirement was removed, supervisory expectations were not relaxed. Boards remain responsible for the accuracy, completeness and regulatory compliance of regulatory reporting disclosures.  For many firms, this has created an implicit assurance gap: accountability remains firmly with the board, but independent challenge and validation may now be less routine than in the past.

Solvency UK: more judgement, greater assurance needs

The implementation of Solvency UK from 31 December 2024 was intended to create a more proportionate and flexible prudential framework, particularly for smaller insurers. However, this flexibility comes with important implications for solvency reporting accuracy.

Solvency UK reduces prescriptive requirements in certain areas and places greater reliance on management judgement, internal models and other model-based calculations, attestations, and governance processes. Supervisory focus has continued to shift towards controls, data quality, and end-to-end reporting accountability. For example, under Solvency UK there is increased reliance on management judgements around transitional measures on technical provisions, risk margin recalculation, management actions within the SCR, and data adjustments supporting Internal Risk (IR) templates. Each of these areas introduces model overlays and governance dependencies that are not easily “self‑evident” in the final numbers without effective challenge and testing.

In practical terms, this means assurance mechanisms matter more, not less. As reporting becomes more judgement-based, the risk increases that errors develop gradually and remain undetected over multiple quarters.

Control rather than technical failures

In the case of Direct Line, the solvency reporting errors arose from weaknesses in internal reporting, controls, and governance frameworks rather than a failure of regulatory processes themselves. Over multiple reporting cycles, solvency ratios were misstated before the issues were identified and corrected. This was neither an isolated incident nor a short-lived issue confined to a niche calculation and highlights a fundamental truth for the wider market: solvency information relied upon by boards, regulators, and stakeholders is only as strong as the processes and controls that underpin it, and the independent assurance that tests them.

Where solvency reporting assurance gaps are now emerging

Across the market, a consistent set of questions is emerging:

  • Who is independently validating the end-to-end SFCR and key quantitative reporting outputs (now delivered through Internal Risk (IR) templates, formerly QRTs) production process?
  • How frequently are regulatory reporting controls tested, rather than assumed to be effective?
  • How would management know if a material issue similar to the Direct Line case was crystallising over time?

In many firms, second-line review provides a degree of challenge. However, third-line coverage of regulatory reporting is often periodic, narrowly scoped, or absent altogether. This position is increasingly misaligned with regulatory expectations and recent enforcement outcomes.

The evolving role of third-line assurance

For insurers without mandatory SFCR audits, internal audit is often viewed as the primary independent source of assurance to the board. However, internal audit is not the only option and for some smaller insurers, internal audit capability may be limited in scope, heavily outsourced, or focused primarily on non‑prudential areas.

As a result, many insurers are adopting a broader and more flexible third-line assurance model.

This may include:

  • Targeted, non-statutory assurance reviews by external auditors over specific aspects of solvency reporting (subject to Audit Committee approval)
  • Independent actuarial reviews of own funds, SCR calculations, or management overlays (for example, judgement-based adjustments to model outputs, expert judgement within risk margin calculations, or data corrections applied during IR template production)
  • Regulatory reporting health checks and data lineage reviews
  • Skilled-person-style deep dives focused on higher-risk or judgement-heavy areas

Leading practice increasingly reflects a blended approach, including:

  • Periodic independent reviews of solvency governance and controls
  • Focused assurance over key judgements, overlays, and data flows – not just calculations
  • Clear reporting to audit committees on residual solvency reporting risk, regardless of the assurance provider

This is not about replicating a full statutory audit where one is not required. It is about ensuring boards receive credible, independent assurance over information they are approving, disclosing, and submitting to the regulator.

Key questions for boards to ask now

As part of routine quarterly reporting, boards may wish to reflect on a small number of fundamental questions:

  • When did we last receive independent assurance over regulatory reporting?
  • Is our current level of assurance proportionate to regulatory, financial, and reputational risk?
  • Is the frequency, scope, and independence of our internal audit or external assurance activity aligned to how critical solvency information is to regulatory compliance, capital decisions, and board risk appetite?
  • And would we detect a Direct Line–style issue early enough to intervene?

Conclusion

Regulatory reporting is not just a compliance deliverable. It is a clear test of governance effectiveness and control maturity. In a Solvency UK environment, where external audit is not requisite and judgement plays a greater role, confidence must be built deliberately through proportionate, independent assurance.

Whether delivered through internal audit, external auditors, or other third-line reviews, boards should be clear when that assurance was last obtained and whether it remains fit for the risk they are carrying today.

If you would like further guidance or support in strengthening your regulatory reporting framework, controls, or assurance approach, our specialists can help.

For more information, please contact our Insurance Carriers team.

Contact Insurance Carriers team

Contact our experts

Martin Watson

Martin Watson

Partner

 

Full Bio
Telephone
LinkedIn

Share