How FCA Supervisory Review Works for Insurance Firms

Most insurance compliance professionals understand that the FCA can come calling. Fewer understand precisely how that process unfolds — what triggers a review, what arrives in the post, what the supervisor actually looks at, and what distinguishes a smooth engagement from one that ends with a skilled person report. This guide walks through the full lifecycle of an FCA supervisory review for insurance firms, from selection to outcome.

The FCA's Supervisory Approach in 2025–2026

The FCA's supervision model has evolved substantially over the past decade. The regulator no longer relies primarily on firms self-reporting problems or on complaints as a lagging indicator. It now operates a genuinely data-driven, proactive supervisory approach that identifies potential issues before they crystallise into widespread consumer harm.

At the core of this shift is the FCA's use of its own analytical capabilities. The regulator ingests significant volumes of data from firms through regulatory returns, complaints reporting, claims outcome data, and the management information that larger firms are required to submit. It then applies statistical analysis to identify outliers — firms whose metrics deviate meaningfully from peers in the same product category or distribution channel.

This is a fundamentally different environment from one where supervision was primarily reactive. A firm that has received no complaints and no enforcement action might still receive a supervisory information request because its claims settlement times, its decline rates, or its complaint-to-claim ratios look anomalous relative to comparable firms.

The Consumer Duty, which came into full force in July 2023 and was extended to closed book products in July 2024, has sharpened this further. The FCA has been explicit that it will use supervisory activity — not just enforcement — to assess how firms are evidencing good outcomes. The burden of proof runs the other way: firms must be able to demonstrate that their practices produce good outcomes, rather than the FCA being required to prove harm.

How Firms Are Selected for Review

Selection for supervisory review is not random, though random sampling does play a role in the FCA's methodology. The regulator uses several distinct mechanisms to determine which firms to examine and when.

Data-Driven Signals

The FCA collects and analyses complaints data submitted under DISP reporting requirements, claims outcome data where available, Financial Ombudsman Service referral rates, and management information submitted directly by firms. Where a firm's metrics sit at the edge of a distribution — for example, an unusually high claims decline rate, an unusually low complaints upheld rate, or complaint volumes that are rising while peers are flat — that can be a signal that triggers further examination.

The FCA also receives intelligence from whistleblowers, from FOS case handlers identifying patterns, and occasionally from other regulators. None of these signals automatically triggers a formal supervisory action, but they contribute to a risk assessment that determines supervisory intensity.

Sector-Wide Thematic Reviews

The FCA periodically announces thematic reviews covering all or a significant proportion of firms in a product or distribution category. These are not targeted at specific firms — they represent a sector-wide inquiry into whether a particular practice, product design, or consumer outcome concern is widespread. When the FCA conducted its review of insurance claims handling in motor and home products, large numbers of firms received information requests simultaneously.

Thematic reviews typically result in published findings that set expectations for the whole sector. Firms that participated in the review but were found to have poor practices may receive individual follow-up. Firms that did not participate but whose practices are similar to those criticised in published findings are on notice.

Firm-Specific Risk Indicators

Beyond aggregate data, the FCA forms qualitative risk assessments of individual firms. These incorporate governance intelligence — regulatory notifications about senior manager changes, material complaints about specific individuals, or notifications of significant operational events. A firm that has notified the FCA of a significant IT outage affecting claims processing, for example, may find itself subject to closer oversight for the period following that event.

Random Sampling for Benchmarking

The FCA does conduct some supervision on a random sample basis, particularly for smaller firms where data signals are less statistically meaningful. These reviews help the regulator calibrate its overall understanding of the market and identify issues that might not be visible through the data it routinely collects.

Types of Supervisory Review

Understanding the type of review you are dealing with affects how you should respond and what resources you need to marshal.

Supervisory Visits

A supervisory visit involves FCA supervisors attending your premises — or, increasingly, conducting a virtual equivalent — to review documentation, speak with senior management, and observe operations. In-person visits are more intensive and typically reserved for higher-risk firms or situations where the FCA has specific concerns it wants to investigate in person. Virtual visits have become a standard alternative and can be equally thorough.

A visit will typically be preceded by an advance information request, giving the firm time to assemble the relevant documentation. The visit itself then involves structured interviews with accountable executives, a review of the documentation provided, and potentially walk-throughs of specific operational processes.

Desk-Based Reviews

A desk-based review involves no attendance. Instead, the FCA issues a detailed information request and reviews the materials submitted. These are the most common form of supervisory engagement and should not be treated as less significant because no one shows up in person. The quality and completeness of your response to a desk-based review is itself evidence of your operational capability and governance.

Attestation Requirements

Following a review, or sometimes as a standalone supervisory tool, the FCA may require that a CEO, board, or specific senior manager formally attest to a set of statements about the firm's practices. These attestations carry personal accountability — a senior manager who signs an incorrect attestation faces potential enforcement action under the Senior Managers and Certification Regime. Firms should not treat attestation requests as routine paperwork.

Thematic Reviews

As described above, thematic reviews cast a wider net across the sector. They typically involve a subset of firms receiving detailed information requests, with the results aggregated into published findings. Being selected for a thematic review is not necessarily a sign of elevated concern about your specific firm, but your response and the quality of your evidence matter regardless.

Before the Visit: The Information Request Letter

The information request letter is the first formal document in a supervisory review. Its structure varies but typically follows a recognisable pattern. Understanding what it is likely to ask for allows firms to maintain documentation in a state of readiness rather than scrambling to produce it under time pressure.

A standard insurance claims-focused information request will typically ask for some or all of the following:

• Claims data: a specified period of claims received, categorised by type, outcome, settlement value, and time to resolution
• Customer communications: examples of standard letters, automated communications, and correspondence templates used at different stages of the claims process
• Governance documents: the claims handling policy, the complaints handling policy, any vulnerable customer policies, and evidence of board or executive sign-off
• Management information: the MI packs provided to the board and executive committee covering claims outcomes, complaints, and regulatory risk
• Board minutes: relevant extracts showing that governance bodies have considered claims outcomes, Consumer Duty compliance, and any remediation activity
• Complaints data: complaints received, categorised by root cause, and evidence of how root cause analysis feeds into process improvement
• Vulnerable customer evidence: how the firm identifies vulnerable customers within the claims process and what adjustments are made

The letter will typically specify a response deadline — often 10 to 15 business days for initial materials. Requesting an extension is possible but should not be the default; a firm that struggles to produce standard governance documentation within a reasonable timeframe raises questions about the quality of its record-keeping.

What the FCA Examines During Claims Reviews

When reviewers work through the materials a firm submits, they are examining several dimensions simultaneously. A firm that understands what they are looking for can ensure that its evidence addresses those dimensions explicitly.

Settlement Consistency

The FCA looks for evidence that similar claims are being treated similarly. Significant unexplained variation in settlement values or outcomes for comparable claims suggests either that decision-making is insufficiently standardised, or that there are systematic biases in how different customer cohorts are treated. Either finding is concerning. Firms should be able to demonstrate a documented claims assessment framework and evidence that it is being applied consistently.

Turnaround Times

Delay in claims handling is one of the most visible indicators of poor customer outcomes. The FCA will review average and distribution data on time from notification to first contact, time from first contact to decision, and time from decision to payment. Outliers — cases that took significantly longer than the average — will attract scrutiny. The firm should be able to explain what happened in those cases and what has been done to prevent recurrence.

Vulnerable Customer Handling

The FCA's guidance on vulnerable customers has significantly raised expectations here. Reviewers will look for evidence that the firm has a structured approach to identifying vulnerability — not just responding when customers self-disclose, but proactively considering whether the circumstances of a claim suggest the customer may need additional support. They will also look for evidence that identified vulnerabilities actually changed how the case was handled.

Communication Clarity

Customer communications will be reviewed against Consumer Duty standards of clarity. The FCA is particularly focused on decline letters and partial settlement communications — these are the points at which the risk of a customer not understanding their position is highest. Communications that rely on technical language, that bury the key decision in dense text, or that fail to signpost complaints routes will be flagged.

Audit Trail Completeness

Perhaps the single most critical element of any supervisory review is the audit trail. The FCA needs to be able to reconstruct what happened on any given claim — who made what decisions, when, on the basis of what information, with what authorisation. Where the audit trail is incomplete or inconsistent, the supervisor cannot verify that good processes were followed. An absent or inadequate audit trail is itself a finding, regardless of whether the underlying outcomes were good. See our detailed guidance on building compliant audit trails for a full discussion of what regulators expect.

Governance and Oversight Evidence

The FCA will assess whether the board and executive committee are genuinely overseeing claims operations. This means looking for evidence in board papers and minutes that outcomes data is being reviewed, that concerns are being raised and addressed, and that the firm is not relying on a "no news is good news" approach to governance. A well-drafted board paper that identifies a claims handling problem and evidences the remedial action taken is more reassuring to a supervisor than a board paper that reports consistently good metrics with no critical analysis.

Typical Findings and What Triggers Escalation

Not every supervisory review results in a finding. Many conclude with a letter confirming that the FCA is satisfied with what it has seen, potentially with observations about areas for improvement. But certain patterns reliably lead to escalation.

Inability to Produce Data Promptly

A firm that takes weeks to produce standard claims data, that provides incomplete extracts, or that presents data in inconsistent formats across different parts of the response, signals that its data governance is poor. This can itself be a finding and typically leads to broader questions about whether the firm's management information is reliable.

Inconsistent Treatment of Similar Claims

Statistical analysis of claims outcomes that reveals unexplained variation — by customer age, geography, acquisition channel, or other characteristics that should not affect settlement outcomes — is a serious concern. The FCA will want to understand whether the variation reflects genuine case-specific factors or whether it represents systematic unfairness.

Evidence of Poor Customer Outcomes

Case file reviews that show customers being given inaccurate information, claims being declined on grounds that were subsequently overturned at FOS, or communications that failed to properly inform customers of their options will typically result in a requirement to review a broader sample of cases and potentially to remediate affected customers.

Inadequate Vulnerability Frameworks

Firms that have a vulnerability policy on paper but cannot demonstrate that it is applied in practice — that claim files show no evidence of vulnerability considerations even where customer circumstances clearly suggest them — will receive findings. The gap between policy and practice is a common theme in FCA insurance supervision.

Consequences of a Supervisory Review

The outcome of a supervisory review sits on a spectrum from a clean bill of health to formal enforcement action, with several intermediate stages.

The most common outcome for firms with identified issues is a "Dear CEO" letter or equivalent formal communication setting out findings and requiring the firm to submit a remediation plan. The firm must respond within a specified timeframe and may be required to provide follow-up evidence that remediation has been completed.

More serious concerns may result in a requirement for a skilled person review under section 166 of FSMA. This involves an independent expert, approved by the FCA, conducting a structured examination of specified aspects of the firm's operations. Skilled person reviews are expensive and time-consuming, and the costs are borne by the firm.

In the most serious cases, the FCA can impose requirements and directions — formal legal constraints on how the firm operates, for example restricting its ability to write new business in a particular category until remediation is complete. Financial penalties and, in extreme cases, business restrictions or cancellation of regulatory permissions represent the far end of the spectrum.

For guidance on the full range of UK insurance compliance obligations, including both FCA and related regulatory requirements, see our comprehensive overview.

How to Prepare Now

The most effective preparation for a supervisory review is not a pre-visit scramble but an ongoing operational discipline that means the firm is always in a state of readiness.

Systematic Evidence Capture

Every claims decision, every customer communication, every governance discussion should generate a contemporaneous record that can be retrieved rapidly in response to a regulatory request. This is not about creating additional work — it is about ensuring that the work your teams are already doing leaves a retrievable trace. Claims systems that generate automatic audit logs, governance platforms that timestamp board papers and record votes, and communication platforms that archive outbound customer correspondence all contribute to this.

Regular Self-Assessment

Firms that are surprised by FCA findings have usually not been asking themselves the same questions the FCA would ask. A structured self-assessment programme — reviewing claims outcome consistency, auditing a sample of declined claims for quality of reasoning, checking that vulnerable customer policies are actually applied in practice — surfaces issues before they become regulatory findings.

Mock Review Exercises

Some firms conduct formal mock supervisory reviews, engaging internal audit or external consultants to simulate the information request process. This tests not just whether the evidence exists but whether it can be assembled rapidly and in the format that a regulator would find usable. It also tests the resilience of the response process — can the firm mount an effective response if key individuals are unavailable?

How Regure Makes Supervisory Reviews Straightforward

The firms that handle FCA supervisory reviews most effectively share a common characteristic: their operations generate evidence as a byproduct of normal activity, rather than requiring special effort to compile evidence after the fact. Regure is built around this principle.

Regure's audit trail infrastructure creates a complete, tamper-resistant record of every action taken on every claim — who made each decision, when, under what authority, and following what process. When an FCA information request arrives, firms can produce structured audit evidence for any date range or claim cohort without manual data aggregation.

The platform's reporting capabilities are designed around regulatory output formats. Claims outcome data, vulnerable customer handling records, communication logs, and governance MI can all be extracted in formats that map directly to what FCA information request letters typically require. A request that would take an operations team several weeks to fulfil manually can typically be addressed within days.

Regure also supports the self-assessment discipline that prevents supervisory findings. Built-in analytics allow compliance teams to monitor claims outcome consistency, track turnaround times against benchmarks, and identify cohorts of claims that warrant closer review — before the FCA does that analysis for you.

Supervisory reviews are a test of operational maturity as much as a test of outcomes. If your firm is not yet operating with the kind of systematic evidence infrastructure that makes these reviews straightforward, speak to Regure about how to get there.