Insurance Licence Authorisation: Part V - Establishing Control Functions

In the preceding four sections of this five-part series, we have moved from strategic intent, through process execution, into regulatory judgement, and finally into the practical requirements of the authorisation application pack. Together, these stages describe what it takes to secure approval to operate as an insurance undertaking in Ireland.

This fifth and final part steps back from the mechanics of authorisation to consider what approval actually creates in practice: a permanent operating state defined by continuous supervision, accountability, and regulatory judgement. It examines how control functions operate as the primary interface between the undertaking and the regulator, and why long-term supervisory outcomes are shaped less by documentation quality and more by how firms govern, challenge, and adapt over time.

Key Control Functions

For each key function within the insurer, the applicant must define the structure of the function, an overview of the team (including experience and qualifications) and detail the role and objectives of the function.

Internal Audit Function

The Applicant should outline the expected frequency of internal audits and the scope of the internal audits to be performed.

It is common for new entrants to either outsource or co-source its internal audit function and hence contact details for the outsourced party, or parties, should be provided.

Compliance Function

The compliance function plays a pivotal role in ensuring the Applicant meets the expectations and regulatory obligations set by both the CBI and the Solvency II framework.

Accordingly, the Applicant must provide a clear and comprehensive outline of the compliance function’s structure, an overview of the team and a description of the function’s specific roles and objectives.

Actuarial Function

The actuarial function is also of critical importance under both the CBI’s regulatory expectations and the Solvency II framework. The Domestic Actuarial Regime, as set out by the CBI, further reinforces these standards by specifying additional local requirements and expectations for actuarial governance and reporting.

The Applicant must provide a comprehensive outline of the actuarial function’s structure, including an overview of the team’s experience and qualifications. The submission should detail the specific roles and objectives of the actuarial function, such as the coordination of calculation of technical provisions, the provision of opinions on underwriting and reinsurance arrangements, and the contribution to the overall risk management framework.

The application must include a formal opinion, accompanied by a detailed supporting report, from the proposed Head of Actuarial Function. This report should explicitly address the following areas:

• Confirmation that the technical provisions set out in the financial projections are reasonable.

• Assessment that the pricing and underwriting policies and procedures are both adequate and realistic.

• Evaluation of the reinsurance and retrocession arrangements, confirming their adequacy.

• Assurance that the Own Risk and Solvency Assessment (ORSA) effectively considers all material risks within its solvency stress tests.

Risk Function

The business plan will detail the structure and responsibilities of the risk management team, the expertise and qualifications of its members, and the specific strategies employed to monitor and mitigate potential risks. Regular risk assessments and ongoing monitoring will be carried out to support sound decision-making and ensure compliance with relevant regulatory requirements.

In the case of smaller organisations, the risk and compliance functions may well be combined.

Other Functions

Underwriting Function

The application should outline the structure of the underwriting function, submit an overview of the underwriting team, detail the role and objectives of the underwriting function and outline the underwriting activities of the Applicant.

For some new entrants, it may be the case that there is limited in-house underwriting expertise, should the business model rely heavily on MGAs or external experts. Responsibility for underwriting oversight may lie with the Managing Director or other members of the executive.

Distribution channels and projected sales for each product should be set out, as well as:

(i) the regulatory status of distributors; and

(ii) whether individuals are advising consumers on retail financial products or offering to sell retail financial products for consumers on behalf of the Applicant.

Details should be provided of the Applicant’s new product approval process.

Investment Function

Applicants are expected to provide a description of their investment strategy, including details of strategic asset allocation by asset class, type, currency, and duration, as well as internal quantitative limits by counterparty, geographical area, or industry.

This information is required to demonstrate that the investment function is managed in accordance with the prudent person principle under Solvency II. Investment assets should be selected and managed to ensure that they appropriately match the nature and duration of the applicant’s insurance liabilities.

Information Technology

The Applicant may choose to outsource IT services to specialised external providers, including those responsible for core administration platforms, data security protocols, and disaster recovery arrangements. When IT services are outsourced, rigorous oversight and governance are maintained, with regular assessments of system performance and security conducted to ensure compliance with regulatory expectations.

Details of the IT systems to be used by the Applicant, as well as the primary IT service providers and backup providers, must be clearly outlined.

Key Control Functions: Ongoing Accountability

Once authorised, the effectiveness of an undertaking’s control functions becomes one of the most persistent lenses through which it is supervised. While governance structures and policies are assessed during the application phase, it is the day-to-day operation of these functions that determines supervisory confidence over time.

The Central Bank’s expectations are clear: key control functions must be appropriately resourced, independent where required, and capable of exercising real challenge. This applies equally where functions are outsourced or co-sourced. While external providers may perform operational tasks, responsibility for oversight, judgement, and escalation remains firmly with the undertaking.

In practice, supervisory attention frequently focuses on how the actuarial, risk, compliance, and internal audit functions interact with the board and executive. This includes how issues are identified, how recommendations are tracked, and how disagreements are resolved. A function that exists largely on paper, or that lacks authority to influence decisions, will quickly attract scrutiny.

Importantly, proportionality does not equate to informality. Smaller or less complex undertakings may operate with leaner teams, but they are still expected to demonstrate robust control, clear accountability, and effective challenge. Over time, the maturity of these functions is often a key determinant of supervisory intensity.

Post-Authorisation Supervision

Authorisation marks the beginning of formal supervision, not its conclusion. From the point of approval, undertakings are subject to the Central Bank’s ongoing risk-based supervisory framework.

Under this approach, firms are categorised according to their potential impact on financial stability and consumers. This categorisation informs the frequency, depth, and intensity of supervisory engagement. Higher-impact firms can expect more regular and intrusive supervision, including thematic reviews, deep dives into specific risk areas, and on-site inspections. Lower-impact firms are not exempt from scrutiny, but engagement is calibrated to reflect scale and complexity.

Supervision scale is not limited to quantitative metrics. It extends to culture, decision-making, and how firms respond to challenge. The standards applied during authorisation form the baseline against which future performance is assessed. In this sense, the authorisation process establishes the supervisory ‘memory’ of the firm.

The entity should be prepared for post-authorisation supervision, including periodic reporting and inspections, as part of the CBI’s risk-based approach to oversight.

Authorisation as the Start of a Regulatory Relationship

Taken together, the Irish authorisation regime reflects a clear philosophy: entry to the market is permitted only where an undertaking can demonstrate that it is capable of operating safely, sustainably, and under continuous supervision.

For firms that approach authorisation as a transactional milestone, this reality can come as a surprise. Successful undertakings are typically those that embed regulatory expectations into how they run the business, rather than treating supervision as an external constraint. They recognise that governance, capital planning, risk management, and control functions are not static requirements but evolving disciplines that must adapt as the business grows and changes.

Authorisation, therefore, should not be seen as the end of a project, but as the beginning of a new operating state. Firms that internalise this from the outset are better positioned not only to secure approval, but to thrive under supervision in the years that follow.

Conclusion

Authorisation in Ireland is best understood not as a transaction, but as a transition. It marks the point at which an undertaking accepts ongoing scrutiny over how it governs, manages risk, deploys capital, and protects policyholders.

Firms that approach authorisation as a finite project often struggle under supervision. Those that recognise it as the foundation of a long-term regulatory relationship are better equipped to maintain supervisory confidence, adapt to changing expectations, and grow sustainably within the Irish and European insurance markets.

Read together, this series reflects a simple but often overlooked reality: successful authorisation depends less on navigating a process and more on committing to the responsibilities that come with holding an insurance licence.