Last reviewed: April 10, 2026
Jurisdictions covered: UK (primary), EU and US (comparison)
Reading time: 15 minutes
The FCA and AI: More Guidance Than Any UK Regulator, Zero Enforcement Actions
The FCA has published more AI-related guidance than any other UK regulator. An AI Update, three industry surveys, an AI Sprint, an AI Live Testing scheme, a planned statutory Code of Practice with the ICO, and most recently the Mills Review of AI in financial services. Seventy-five percent of UK financial services firms already use AI. Thirty-four percent do not fully understand the AI systems they have deployed.
Zero AI-specific enforcement actions have been taken.
FCA CEO Nikhil Rathi told the industry in December 2025 that banks would not face “witch-hunts for minor AI blunders” and encouraged firms to “go and innovate” (The Banker, December 3, 2025). One month later, the Treasury Committee published a report warning that the FCA and Bank of England are “exposing the public to potentially serious harm” through their “wait-and-see approach” on AI.
This is the defining tension in UK financial services AI regulation: the most sophisticated regulatory engagement in the country, paired with the least enforcement. This article covers what the FCA actually requires, how SM&CR applies to AI decisions, what the PRA adds from the prudential side, and what compliance teams should do before the rules tighten.
Key Takeaways
- 75% of UK financial services firms use AI (BoE/FCA 3rd AI/ML Survey, November 2024). 34% do not fully understand their own AI systems. 17% use foundation models.
- Consumer Duty (PS23/16) is the primary AI compliance lens. The FCA expects firms to demonstrate that AI-driven outcomes are fair, transparent, and do not harm consumers — using existing rules, not AI-specific ones.
- SM&CR makes named individuals accountable for AI decisions. The FCA confirmed in its April 2024 AI Update that Senior Managers are responsible for AI systems within their functions. This is not inference — it is stated FCA policy.
- The FCA/ICO joint statutory Code of Practice on AI was announced in June 2025 but has not been published as of April 2026. Many firms are waiting for something that has not arrived.
- The Treasury Committee warned in January 2026 that the FCA and BoE are “exposing the public to potentially serious harm” through insufficient AI oversight. This is a genuine policy disagreement, not rhetorical criticism.
What Has the FCA Published on AI?
The FCA has built the most comprehensive AI engagement programme of any UK regulator. Here is every significant output:
| Date | Output | Key Content |
|---|---|---|
| April 2024 | AI Update | Confirmed Consumer Duty and SM&CR apply to AI. First formal FCA position on AI governance. |
| November 2024 | 3rd AI/ML Survey (with BoE) | 75% adoption rate. 34% don’t understand their AI. 17% use foundation models. |
| November 2024 | AI Sprint | Cross-industry convening to identify AI governance gaps and opportunities. |
| June 2025 | FCA/ICO announcement | Planned joint statutory Code of Practice for AI in financial services — first binding UK AI instrument. Not yet published. |
| September 2025 | AI Live Testing (FS25/5) | Regulatory sandbox allowing firms to test AI products with real consumers under supervised conditions. NVIDIA consortium partnership. |
| January 2026 | Mills Review call for input | Independent review of AI in financial services led by Amanda Mills. Consulting on barriers, opportunities, and regulatory gaps. |
| March 2026 | FCA Annual Work Programme | FCA commits to using AI internally to speed authorisations and detect consumer harm. First “AI-enabled regulator” commitment. |
| March 2026 | FCA/ICO Joint Statement on vulnerability data | How Consumer Duty and data protection intersect for vulnerable customers — AI systems that profile vulnerability status must comply with both. |
| April 1, 2026 | BoE/PRA letter to HMT/DSIT/DBT | Sarah Breeden and Sam Woods defend principles-based approach. Commit to full AI innovation plan in H1 2026. |
No other UK regulator has this depth of AI engagement. The ICO comes closest with its AI and Biometrics Strategy (June 2025) and ADM guidance (March 2026), but the FCA’s combination of surveys, testing infrastructure, and cross-regulator coordination is unmatched.
How Does Consumer Duty Apply to AI?
Consumer Duty (PS23/16, in force since July 2023) is the FCA’s primary lens for AI governance. It is not an AI regulation — it is a conduct standard that applies to all retail financial services. But its four outcomes map directly onto AI risks:
1. Products and services. AI-driven financial products must be designed to meet the needs of the target market. An AI that recommends investment products must be tested against the target market’s characteristics, not just optimized for revenue.
2. Price and value. AI pricing algorithms must deliver fair value. Algorithmic price discrimination — charging different customers different prices for the same product based on behavioural data — is a Consumer Duty risk. The CMA’s algorithmic collusion research (via the DRCF) reinforces this concern.
3. Consumer understanding. Firms must ensure consumers can understand AI-driven decisions that affect them. If an AI denies a mortgage application, the applicant must be able to understand why — even if the model’s internal reasoning is complex.
4. Consumer support. AI chatbots and automated support systems must meet the same quality standards as human support. A chatbot that provides incorrect information or fails to escalate complex queries breaches Consumer Duty regardless of whether a human or AI generated the response.
The FCA/ICO joint statement on vulnerability data (March 26, 2026) adds a specific dimension: AI systems that identify or profile vulnerable customers must comply with both Consumer Duty and data protection law. Using AI to flag vulnerability can improve outcomes — but processing sensitive health, financial difficulty, or bereavement data triggers ICO obligations under the DUA Act’s reformed ADM framework.
Who Is Accountable When the Algorithm Gets It Wrong?
The Senior Managers and Certification Regime (SM&CR) answers this question. The FCA confirmed in its April 2024 AI Update that SM&CR applies to AI systems: named Senior Management Function (SMF) holders are responsible for AI within their functions.
This means:
- The Chief Risk Officer (SMF4) is accountable for AI risk management
- The Chief Operations Officer (SMF24) is accountable for AI in operational processes
- The Head of Compliance (SMF16) is accountable for AI regulatory compliance
- Any SMF holder whose function uses AI bears personal accountability for that system’s conduct
The FCA consulted on SM&CR reform (CP25/21, closed October 2025). The consultation did not propose weakening AI accountability — if anything, it reinforced the expectation that firms map AI systems to named SMF holders.
The practical challenge: “meaningful human involvement” in AI decisions. DUA Act Section 80 requires safeguards for significant automated decisions — notification, right to challenge, human intervention. Consumer Duty requires understandable outcomes. SM&CR requires personal accountability. A financial AI system must satisfy all three simultaneously.
What Does the PRA Add from the Prudential Side?
The Prudential Regulation Authority (PRA) and Bank of England regulate AI from the financial stability perspective — distinct from the FCA’s conduct focus.
SS1/23 (Model Risk Management). The PRA’s supervisory statement on model risk management applies to all models, including AI/ML. It requires firms to maintain a model inventory, validate models before deployment, monitor ongoing performance, and document model limitations. For AI systems, this means algorithmic audit trails and explainability sufficient for PRA supervisors.
Financial Stability in Focus: AI (April 2025). The BoE’s assessment of systemic AI risks to financial stability. Key concern: concentration risk — if multiple firms rely on the same foundation models or cloud providers, a single failure could cascade across the sector.
The April 1, 2026 letter. Sarah Breeden and Sam Woods responded to the government’s AI growth agenda by defending the principles-based approach but committing to publish a full AI innovation plan in H1 2026. The letter signals that the PRA will not rush to AI-specific rules but will increase supervisory attention to AI within existing frameworks.
Together, FCA conduct regulation and PRA prudential regulation create a two-lens system for financial AI. The FCA asks: “Is this fair to consumers?” The PRA asks: “Is this safe for the financial system?” Both apply through existing frameworks. Neither has created AI-specific rules.
What About the Code of Practice?
In June 2025, FCA CEO Nikhil Rathi and Information Commissioner John Edwards jointly announced a planned statutory Code of Practice for AI in financial services. This would be the UK’s first binding AI-specific regulatory instrument — giving the FCA power to set enforceable standards for how financial firms use AI.
As of April 2026, no draft has been published. The announcement was made ten months ago. The code would need to go through formal consultation, parliamentary scrutiny, and FCA board approval before taking effect.
For compliance teams, this creates a planning problem. Many firms are waiting for the Code of Practice before investing in AI governance infrastructure. But the FCA’s existing expectations — Consumer Duty, SM&CR, model risk management — already apply. Waiting for the Code may mean falling behind on obligations that are already enforceable.
What Does the Treasury Committee Say?
The House of Commons Treasury Committee published its report on AI in financial services on January 20, 2026. The verdict was sharp: the FCA and Bank of England are “exposing the public to potentially serious harm” through a “wait-and-see approach” that has produced extensive engagement but insufficient protection.
The Committee found:
- Firms are deploying AI faster than regulators can assess the risks
- The FCA’s reliance on existing frameworks (Consumer Duty, SM&CR) may not be sufficient for novel AI risks
- The gap between the FCA’s innovation encouragement (“go and innovate”) and its enforcement record (zero AI actions) undermines regulatory credibility
This is a genuine policy disagreement. The FCA argues that principles-based regulation is flexible enough to cover AI. The Treasury Committee argues that flexibility without enforcement is indistinguishable from inaction. The outcome of this disagreement — whether the FCA increases enforcement or the government legislates — will shape UK financial AI regulation for years.
What Should Financial Services Firms Do?
1. Map AI systems to SMF holders. Every AI system in your organization should be assigned to a named Senior Manager under SM&CR. Document the assignment. If an AI system fails, the SMF holder must be able to explain how they exercised oversight.
2. Conduct a Consumer Duty AI audit. For every AI-facing consumer outcome — product recommendation, pricing, credit decision, support — assess whether the AI delivers fair outcomes, fair value, consumer understanding, and adequate support. Document the assessment.
3. Comply with DUA Act Section 80 for automated decisions. If your AI makes significant decisions about individuals (credit, insurance, claims), implement the required safeguards: notification, right to challenge, meaningful human intervention.
4. Implement SS1/23 for AI models. Maintain an AI model inventory. Validate models before deployment. Monitor ongoing performance. Document limitations. The PRA expects this for all models — AI is not exempt.
5. Do not wait for the Code of Practice. It was announced June 2025. No draft has appeared. Existing obligations — Consumer Duty, SM&CR, SS1/23, DUA Act — are already enforceable. Build your governance framework on what is binding today, and update when the Code arrives.
6. Engage with the Mills Review. The call for input is open. This review will shape the FCA’s approach to AI in financial services. If you have views on barriers, opportunities, or regulatory gaps, this is your opportunity to influence the direction.
7. Monitor the BoE/PRA AI innovation plan. Committed for H1 2026 in the April 1 letter. This will define prudential expectations for AI in banking, insurance, and investment.
8. If you serve EU customers, comply with the EU AI Act. Financial AI systems that process EU customer data or reach EU users face binding obligations under the AI Act — including high-risk classification for credit scoring, insurance pricing, and employment AI. The FCA’s lighter approach does not reduce EU obligations.
FCA vs SEC vs EU AI Office
| Dimension | UK (FCA) | US (SEC) | EU (AI Office + national authorities) |
|---|---|---|---|
| AI-specific rules | None — Consumer Duty + SM&CR applied to AI | None — existing securities law + staff guidance | AI Act — binding high-risk obligations for credit, insurance, employment AI |
| Primary lens | Consumer outcomes (Consumer Duty) | Market integrity + investor protection | Risk classification (prohibited → high → limited → minimal) |
| ADM framework | Permitted with safeguards (DUA Act s.80) | No federal ADM framework | Generally prohibited (GDPR Art. 22) with AI Act additions |
| Innovation sandbox | AI Live Testing (FS25/5) + Supercharged Sandbox | No equivalent | AI regulatory sandboxes (Art. 57-58) |
| Enforcement | Zero AI-specific actions | Emerging (AI washing cases) | AI Office enforcement from August 2026 |
| Max penalty | £17.5M or 4% turnover (ICO); unlimited (FCA) | Varies (disgorgement + civil penalties) | EUR 35M or 7% turnover |
Disclaimer: This content is for informational purposes only and does not constitute legal advice. Financial services regulation involves multiple overlapping frameworks. Organizations should consult their compliance teams and qualified legal counsel. Reg Intel is not a law firm and does not provide legal services.
Last verified: April 10, 2026
Sources
Official Sources
- FCA AI Update, April 2024
- BoE/FCA 3rd AI and Machine Learning Survey, November 2024 — 75% adoption, 34% lack understanding
- FCA AI Live Testing (FS25/5), September 2025
- FCA/ICO Joint Statement on Vulnerability Data, March 26, 2026
- BoE/PRA Letter to HMT/DSIT/DBT, April 1, 2026
- Mills Review Call for Input, January 23, 2026
- FCA Annual Work Programme, March 25, 2026
Analysis and Commentary
- The Banker: FCA CEO Rathi — banks won’t face “witch-hunts for minor AI blunders,” December 3, 2025
- Treasury Committee: AI in Financial Services report, January 20, 2026
- PRA Supervisory Statement SS1/23: Model Risk Management
- BoE: Financial Stability in Focus — AI, April 2025
Compare: EU vs UK
For the comprehensive comparison across twelve dimensions — structural divergence, risk classification, the 19 UK regulators vs the EU AI Office, enforcement penalties, the Data (Use and Access) Act 2025, AISI vs the EU AI Office, and a five-step dual-market compliance baseline — see EU vs UK AI Regulation: Precaution vs Innovation Compared (2026).