API-led insurance

Category: Insurtech · Reviewed by Chrissie Anderson, Client Executive · Last reviewed 2026-06-10

API-led insurance is the design and delivery of insurance services around documented, machine-consumable application programming interfaces, so that quoting, binding, mid-term adjustments, claims and analytics can be invoked by partner applications rather than only through human user interfaces. It is the technical foundation of embedded distribution, open insurance and many software-as-a-service insurance platforms.

Category: Insurtech Also known as: API-driven insurance, insurance APIs, headless insurance Established / Coined: REST APIs in insurance from circa 2012; “API-led” terminology popularised by MuleSoft circa 2015 Related concepts: Embedded insurance, Open insurance, Insurance core systems

Definition

API-led insurance treats the insurance operation as a set of programmatic services exposed via REST, GraphQL or event-streaming interfaces and described using OpenAPI Specification (formerly Swagger), AsyncAPI or industry-specific schemas. The same services that are consumed by an insurer’s own customer portal are exposed to authorised partners — brokers, embedded retailers, aggregators, MGAs and reinsurers — under contractual and security controls. This contrasts with the earlier “batch and bordereaux” model in which data was exchanged on flat files, often overnight.

Two standards bodies have influenced United Kingdom practice. ACORD, the global insurance data standards body, maintains XML and JSON-LD schemas for property and casualty messages, and the Lloyd’s market has adopted ACORD-based standards for placing and accounting under the Blueprint Two programme. Within personal lines, polaris-style XML formats persist for motor and home aggregator feeds, with REST and GraphQL APIs increasingly used between insurers, brokers and embedded partners.

Legal / Regulatory basis

When an insurer or broker exposes APIs to a third party it is engaging that third party as an outsourced or material service provider in many cases. The Prudential Regulation Authority’s Supervisory Statement SS2/21 “Outsourcing and third-party risk management” (March 2021) sets expectations on materiality assessment, due diligence, written agreements, business continuity, sub-outsourcing, data security and exit strategies. The FCA Handbook’s SYSC 8 (general outsourcing) and SYSC 13 (operational risk) apply to FCA-only firms and SYSC 8.1.7R requires the firm to retain regulatory responsibility regardless of the outsourcing.

Operational resilience is set by PRA SS1/21 and PS6/21 (March 2021) and FCA PS21/3, requiring identification of important business services, impact tolerances and severe-but-plausible scenario testing. Where APIs underpin a critical business service the outage of an API gateway must be modelled. EIOPA’s Guidelines on Outsourcing to Cloud Service Providers (2020) apply to European Economic Area insurers and have shaped UK practice. The EU Digital Operational Resilience Act (DORA), in force from January 2025 for EEA financial entities, imposes additional rules on ICT risk and third-party providers — UK firms with EU operations are within its scope.

Data protection obligations under UK GDPR and the Data Protection Act 2018 apply to personal data flowing across an API. Where an authorised third-party API serves a regulated activity, the principal arranging insurance under FSMA 2000 article 25 remains liable for any failures in the journey.

How it works in practice

A typical API-led insurance estate has a layered architecture: domain APIs encapsulate single business capabilities (quote, bind, MTA, claim-FNOL, document); process APIs orchestrate multiple domain APIs into a workflow (full new business journey, complex claim); and experience APIs shape responses for specific channels (web, mobile, partner). Authentication is usually OAuth 2.0 or mutual TLS, with rate limiting and request signing for sensitive endpoints. Webhooks or event streams (Kafka, EventBridge) communicate state changes back to partners.

Governance includes an API catalogue, lifecycle management (alpha, beta, GA, sunset), versioning policy, contract testing and observability. The risk and compliance functions sign off security testing, data classification and the partner agreements. Under SS2/21 the firm must conduct an outsourcing assessment for each material partner, even where the partner is a customer of an API rather than a vendor.

Common variations

Variations include public APIs (open to any developer after registration, used for marketing and aggregator distribution), partner APIs (contractual and authenticated, the embedded and broker route), and internal APIs (consumed only by the firm’s own systems but governed to the same standards). Within Lloyd’s the Blueprint Two delivery includes a Core Data Record and digital placing services, exposed via APIs developed by Velonetic and others, with which managing agents and brokers integrate.

Example

A United Kingdom MGA running a coverholder facility for a Lloyd’s syndicate exposes a quote-and-bind REST API under OAuth 2.0 to seven distribution partners (three retail brokers, two aggregators, a price comparison site and a fleet platform). Each partner is contracted under a binding authority that incorporates the MGA’s terms of business, data processing agreement and SS2/21-aligned third-party risk schedule. The MGA monitors API latency and error rates against impact tolerances; quarterly resilience tests simulate an API gateway outage and confirm that mid-term adjustment can be processed manually within four hours. The MGA’s product board reviews per-partner loss ratios and complaint rates under PROD 4 and the Consumer Duty.

See also

References

  1. PRA SS2/21 “Outsourcing and third-party risk management” (March 2021) — https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management
  2. PRA SS1/21 / PS6/21 “Operational resilience” (March 2021) — https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/operational-resilience-policy-statement
  3. FCA PS21/3 “Building operational resilience” (March 2021) — https://www.fca.org.uk/publications/policy-statements/ps21-3-building-operational-resilience
  4. FCA Handbook SYSC 8 (General outsourcing) — https://www.handbook.fca.org.uk/handbook/SYSC/8/
  5. EIOPA Guidelines on Outsourcing to Cloud Service Providers (2020) — https://www.eiopa.europa.eu/document/download/
  6. EU Regulation (EU) 2022/2554 on Digital Operational Resilience (DORA) — https://eur-lex.europa.eu/eli/reg/2022/2554/oj
  7. ACORD Standards — https://www.acord.org/standards-architecture
  8. Lloyd’s Blueprint Two and Velonetic core platform — https://www.lloyds.com/about-lloyds/our-market/blueprint-two
  9. OpenAPI Specification — https://spec.openapis.org/oas/latest.html
  10. ICO Guide to UK GDPR — https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/

This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-10. Next review: 2026-12-10.

Apex Insurance Brokers Limited. Authorised and regulated by the Financial Conduct Authority, FRN 724952. Registered in England and Wales, Companies House 07014570. This entry provides general information about UK insurance concepts and is not regulated advice. Consult your insurance broker on your specific position.

Talk to a specialist broker

Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.

Get a quote
Our service promise. We acknowledge every quote request the same working day. For straightforward risks, indicative terms typically follow within five working days. Complex risks — higher-risk buildings, cladding, mid-term proposals requiring fresh underwriting — may take longer; we’ll send you a progress note by the end of the fifth working day in those cases.
★ 4.0 on Trustpilot (verified)|Listed on the ARB PI broker list|FCA FRN 724952