Navigating AI Regulations: A Practical Framework for FCA Authorised Firms

The FCA expects your firm to govern AI under existing rules — not wait for new ones. Here's the practical framework to get it right.

The Regulatory Clock is Ticking — and There's No AI Rulebook Coming

Three out of every four UK financial services firms are already using artificial intelligence. The FCA and Bank of England confirmed this in their third joint survey, published in late 2024. By the time Lloyds published its Financial Institutions Sentiment Survey in September 2025, nearly six in ten institutions reported measurable productivity gains from AI — almost double the proportion from the year before.

Yet, here is the challenge every compliance officer, COO, and risk director in a regulated firm now faces: the FCA has made it clear, repeatedly, that it will not introduce AI-specific regulations. There is no standalone AI rulebook on the horizon. Instead, the regulator expects firms to demonstrate that their existing governance frameworks — the Consumer Duty, the Senior Managers and Certification Regime (SM&CR), the Systems and Controls sourcebook (SYSC), and operational resilience requirements — already cover AI.

This expectation has teeth. The House of Commons Treasury Committee published its report on AI in financial services in January 2026 and was blunt in its criticism, warning that regulators were not doing enough to manage the risks AI presents. The Committee has recommended that the FCA publish comprehensive, practical guidance on how existing consumer protection rules apply to AI — and on what level of assurance is expected from senior managers under the SM&CR for harm caused through AI — by the end of 2026.

For FCA authorised firms, the question is no longer whether to have an AI governance policy. It is whether the one you have — or don't have — will survive regulatory scrutiny.

Why Every FCA Authorised Firm Needs a Formal AI Policy Now

The FCA's approach to AI regulation rests on a straightforward logic: AI is a technology, not a regulated activity. The regulatory obligations that apply when a firm uses AI are the same obligations that apply to everything else the firm does. Principle 2 (skill, care, and diligence), Principle 3 (management and control), Principle 6 (treating customers fairly), Principle 7 (clear communications) — these do not switch off because a decision was made by an algorithm rather than a person.

What changes with AI is the speed, scale, and opacity of the risk. A flawed manual process might affect a handful of customers before someone spots the error. A flawed AI model can propagate harm across thousands of customers in real time. That is why the FCA expects firms to have governance arrangements that are proportionate to the risk AI introduces — and why a formal, documented AI governance policy is now a practical necessity, not a nice-to-have.

FCA AI Compliance Starts with What You Already Have

The FCA's 2024 AI Update mapped its existing regulatory framework against the UK Government's five AI principles. This mapping is instructive because it tells firms exactly where the regulator will look:

• Safety, security, and robustness are covered by Principles 2 and 3, the Threshold Conditions, and the SYSC requirements for risk controls (SYSC 7) and sound security mechanisms (SYSC 4).

• Transparency and explainability are addressed through Principle 7 (clear, fair, and not misleading communications), the Consumer Duty's consumer understanding outcome, and the UK GDPR requirements to provide meaningful information about automated decision-making logic (Articles 13 and 14).

• Fairness maps to the Consumer Duty, the Equality Act 2010, and the UK GDPR's fairness principle in data processing.

• Accountability and governance sit squarely within the SM&CR and the SYSC sourcebook — particularly SYSC 4.1.1R on governance arrangements and SYSC 3 on systems and controls.

• Contestability and redress are covered by the Dispute Resolution sourcebook (DISP), Article 22 of the UK GDPR (the right not to be subject to solely automated decisions), and the Consumer Duty's consumer support outcome.

  
  

A well-constructed AI governance policy should trace each of these principles back to the specific FCA rules that apply to your firm's AI use cases. That traceability transforms a policy from a shelf document into a defensible compliance artefact.

SM&CR and AI: Who is Accountable When the Algorithm Gets it Wrong?

This is the question that keeps senior managers awake at night, and rightly so. The FCA and PRA considered whether to create a new, dedicated Senior Management Function for AI. They consulted on it in their 2022 discussion paper. The industry pushed back, and the regulators agreed: existing SM&CR structures are sufficient.

That decision has a consequence. Accountability for AI governance does not sit in a vacuum. It falls on the Senior Managers whose Statements of Responsibilities cover the relevant functions:

• SMF24 (Chief Operations Function) carries primary responsibility for the integrity of technology systems. In practice, this means AI infrastructure, deployment, security, and operational maintenance fall within their remit.

• SMF4 (Chief Risk Function) retains oversight of the firm's risk management framework, including model risk, data quality risk, bias risk, and the risk appetite settings that govern AI deployment.

• SMF16 (Compliance Oversight) is responsible for ensuring AI systems comply with applicable FCA rules, the Consumer Duty, and data protection requirements.

• SMF17 (MLRO) must ensure that AI systems used in AML and counter-terrorist financing processes are fit for purpose — and, critically, that the MLRO can articulate the AI's logic to the FCA and NCA. A black-box defence is not acceptable.

  
  

For Enhanced firms, the allocation is relatively clear. For Core and Limited Scope firms (the majority of FCA authorised firms), the obligation still applies, but the SM&CR structure is simpler. The key is that at least one Senior Manager's Statement of Responsibilities explicitly addresses oversight of AI systems. If it doesn't, the firm has a gap that needs closing before, not after, the FCA asks to see it.

The duty of responsibility under FSMA means that if the firm breaches a regulatory requirement through its use of AI, the Senior Manager responsible for that area could be held personally accountable if they failed to take reasonable steps to prevent or stop the breach. That makes "I didn't know we were using AI in that process" an increasingly dangerous position for any Senior Manager to find themselves in.

Consumer Duty and AI: The Outcomes That Matter

The Consumer Duty is, by the FCA's own account, the lens through which it will assess most AI-related conduct. If your firm uses AI in any customer-facing process — or in any process that influences customer outcomes — the Duty applies in full.

The FCA's supervisory approach to the Consumer Duty is outcomes-focused and retrospective. The burden of proof sits with the firm, not the regulator. Firms that cannot demonstrate how their AI systems deliver good outcomes are in a significantly weaker position when things go wrong.

The Four Outcomes, Applied to AI

Products and services: AI systems involved in product design, recommendation, or distribution must meet the needs of the identified target market. An AI-powered recommendation engine that steers customers toward unsuitable products is a Consumer Duty breach, regardless of whether a human was in the loop.

Price and value: Where AI influences pricing — whether through dynamic pricing models, personalised offers, or risk-based premium calculations — the firm must ensure the price paid is reasonable relative to the benefits received. The FCA has flagged AI-driven pricing as an area of supervisory interest, particularly where it risks unfair discrimination by demographic.

Consumer understanding: Communications generated or delivered by AI must be clear, fair, and not misleading. This includes chatbot responses, automated emails, and AI-generated content used in customer journeys. Quality assurance is not optional.

Consumer support: AI systems deployed in customer service cannot create unreasonable barriers to accessing support. The FCA has been explicit: a system optimised purely for deflection and handling time, without measuring whether the customer's issue was actually resolved, risks breaching the consumer support outcome.

What Should an AI Governance Policy Contain?

A robust AI governance policy for an FCA authorised firm should cover, at minimum, the following areas:

• Purpose and scope: defining which AI systems, business areas, and regulated activities are covered, and confirming that the policy applies to third-party and vendor-supplied AI as well as internally developed systems.

• Regulatory framework mapping: tracing the FCA's existing rules to the firm's AI governance obligations, creating a clear line of sight from the five AI principles through to the specific Handbook provisions that apply.

• Governance structure and accountability: documenting the SM&CR allocation, committee structures, terms of reference, and three lines of defence model for AI oversight.

• AI risk classification: establishing a materiality-based tiering system (high, medium, low) that determines the intensity of governance, testing, monitoring, and oversight applied to each AI use case.

• Lifecycle management: covering pre-deployment (use case definition, risk assessment, Consumer Duty impact assessment, DPIA, bias testing, explainability assessment, and approval), deployment, ongoing monitoring (performance metrics, drift detection, fairness reviews), change management, and decommissioning.

• Consumer Duty and fairness: setting out how the firm ensures AI systems deliver good outcomes across all four outcome areas and how bias is identified, tested for, and mitigated.

• Transparency and explainability: defining disclosure standards for customers, internal documentation requirements, and the firm's approach to regulatory engagement on AI matters.

• Data governance: addressing data quality, UK GDPR compliance (including lawful basis, Article 22 rights, DPIAs, and privacy notices), and data security.

• Third-party and outsourcing risk: covering due diligence, ongoing oversight, contractual protections, and concentration risk for AI providers.

• Operational resilience: mapping AI dependencies within important business services, setting impact tolerances, and testing AI-specific failure scenarios.

• Monitoring, reporting, and MI: defining what management information is produced, how frequently, and to whom it is reported.

• Training and competence: ensuring Senior Managers, operational staff, and all relevant employees understand their responsibilities in relation to AI.

• Incident management: establishing AI-specific incident response procedures, including containment, impact assessment, regulatory notification under SUP 15, and root cause analysis.

• Policy review: committing to at least annual review, with ad hoc reviews triggered by new deployments, incidents, or regulatory developments.

  
  

The Mills Review: What's Coming Next

On 27 January 2026, the FCA launched the Mills Review, a long-term examination of how AI will reshape retail financial services, led by Executive Director Sheldon Mills. The review is looking beyond current use cases toward 2030 and beyond, covering AI technology evolution (including agentic AI), market structure implications, consumer trends, and the regulatory approach.

The Mills Review is not an abstract exercise. The FCA has invited feedback from firms, consumer groups, technology providers, and academics. Recommendations will be reported to the FCA Board in summer 2026 and published externally. Firms should expect the output to inform supervisory expectations for years to come.

At the same time, the Treasury Committee has recommended that the FCA publish comprehensive AI guidance for firms by the end of 2026, that HM Treasury designate major AI and cloud providers as critical third parties, and that the Bank of England and FCA conduct AI-specific stress testing.

The direction of travel is clear: more scrutiny, more expectation, and more accountability — all delivered through the existing regulatory framework.

Getting Started: A Practical Approach

For firms that do not yet have a formal AI governance policy, or whose existing policy is thin, the path forward involves several practical steps, starting with a good old-fashioned gap analysis.

The gap analysis will drive the AI use case register, where firms can document every AI system currently deployed or planned, classify its materiality, and assign a Senior Manager as accountable owner.

Naturally, as mentioned above, firms should not forget about updating the relevant Statements of Responsibilities.

Once these are in place, firms can go ahead and build the policy. A comprehensive, implementable AI governance policy should not be a set of aspirational principles.

The policy, once embedded, will contain the ongoing governance. Do remember, however, that the policy is the starting point, not the destination. Ongoing monitoring, periodic bias testing, regular MI reporting, and annual policy reviews are what make governance real rather than theoretical.

Free Template: AI Governance Policy for FCA Authorised Firms

We have developed a comprehensive, ready-to-customise AI Governance Policy template specifically designed for FCA authorised firms. It includes a full user guide explaining how to tailor the template for your firm, a complete 15-section policy document aligned to the FCA's principles-based framework.

The template maps every section to the applicable FCA rules, from Consumer Duty, SM&CR, SYSC, operational resilience, UK GDPR.