The UK insurance AI regulatory landscape
UK insurers deploying AI face obligations from multiple regulators operating in parallel. The Financial Conduct Authority is the primary conduct regulator, with Consumer Duty as the overarching framework. The Prudential Regulation Authority applies prudential expectations including model risk management. The Information Commissioner's Office enforces UK GDPR. And the Financial Ombudsman Service (FOS) can adjudicate disputes about AI-driven insurance decisions β creating indirect governance pressure through complaint risk.
FCA Consumer Duty and insurance AI
Consumer Duty, which came into force in July 2023, requires firms to act to deliver good outcomes for retail customers across four outcome areas: products and services, price and value, consumer understanding, and consumer support. Each of these has direct implications for AI use in insurance.
Price and value: AI pricing models must demonstrably reflect the actual risk and value received. AI that systematically charges customers more than the fair value of the insurance β including through loyalty pricing penalties, proxy discrimination, or opaque algorithmic adjustments β creates Consumer Duty exposure. Firms must be able to show the FCA, through data and analysis, that pricing outcomes are consistent with the fair value requirement.
Consumer understanding: AI-generated communications β automated renewal notices, claims decisions, underwriting explanations β must meet the Consumer Duty standard of enabling customers to make informed decisions. Generic explanations of "algorithmic underwriting" do not meet this standard. Customers must understand what factors influenced their premium or claim decision.
Consumer support: AI chatbots and automated claims handling must not create barriers that prevent customers from obtaining the outcomes they are entitled to. Automated claims rejections must be reviewable by humans, and the escalation path must be easily accessible.
FCA General Insurance Pricing Practices
The FCA's pricing practices rules β in force since January 2022 β were a direct regulatory response to the loyalty penalty problem in insurance, where algorithmic pricing systematically charged existing customers more than equivalent new customers for the same risk. The rules require that renewal prices are no higher than the equivalent new customer price for the same product and risk profile.
For AI pricing models, this creates a specific governance requirement: the model must be tested and monitored to ensure it does not produce renewal prices systematically higher than new business prices. Firms must be able to demonstrate through data that their AI pricing model complies β which means maintaining the data infrastructure and monitoring to detect and remedy pricing disparities.
PRA model risk management
The PRA applies model risk management expectations drawn from its Supervisory Statement SS1/23 on model risk management principles for banks, and analogous expectations for insurers under its Supervisory Statement SS3/17 on AI and machine learning. Core requirements: AI models used in underwriting, pricing, and reserving must be validated independently before deployment; model limitations and assumptions must be documented; performance must be monitored against defined thresholds; and material model changes require revalidation.
For actuarial models with AI components, the Institute and Faculty of Actuaries (IFoA) has published guidance on the responsibilities of the Chief Actuary and responsible actuary in relation to AI-assisted pricing and reserving models. The responsible actuary cannot delegate accountability for model outputs to the AI β they must understand the model's methodology and limitations well enough to take professional responsibility for its outputs.
ICO and UK GDPR
All personal data processed in insurance AI β including telematics data, claims history, health information, and behavioural data used in pricing β is subject to UK GDPR. Special category data (health information, genetic data used in life and health insurance underwriting) attracts the highest UK GDPR obligations and requires explicit consent or another Article 9(2) basis. Automated underwriting decisions with legal or similarly significant effects on individuals engage Article 22 rights to human review and explanation.
