AI governance for financial services
Your board answers to the FCA and the PRA for every AI decision.
AI now sits inside credit, pricing, fraud and advice. A named senior manager must be able to explain and defend each decision after the fact. Under SM&CR that accountability cannot be delegated to the model. Governance AI advises your board and risk committees on AI oversight and builds the controls that make those decisions explainable, fair and within tolerance.
Accountability sits with a named person, not the model.
Financial services is the one sector where AI governance answers to several authorities at once. The FCA applies its technology-neutral Principles and the Consumer Duty to AI-driven decisions about money, credit and access to services. The PRA, through SS1/23, expects model risk governance and independent validation that now reach machine-learning models feeding capital, pricing and risk. Both expect the board to evidence good outcomes, not to wait for AI-specific rules.
Under the Senior Managers and Certification Regime, one named individual carries personal accountability for AI risk and any AI-driven harm. The board's task is to connect AI oversight to its existing model risk, conduct, resilience and data-protection frameworks rather than treating it as a separate technology question. Most AI governance is performance, not protection.
The standards financial services firms are held to.
AI does not create a separate rulebook. It runs through the duties and regulators you already answer to.
Financial Conduct Authority (FCA)
Applies its outcomes-based Principles and SYSC governance rules to AI, expecting the board to evidence that AI-driven decisions are fair, transparent and accountable.
FCA Consumer Duty (PRIN 2A)
Constrains AI in pricing, advice, credit and collections so it cannot exploit vulnerability, embed unfair bias or produce outcomes customers cannot understand.
Senior Managers and Certification Regime (SM&CR)
Makes a named Senior Management Function holder personally accountable for AI risk and model governance, mapped through their Statement of Responsibilities.
PRA Supervisory Statement SS1/23
Sets model risk governance and independent validation expectations that explicitly extend to AI and machine-learning models in capital, pricing and risk.
Information Commissioner's Office (ICO) under UK GDPR
Enforces Article 22 rights on solely automated decisions and profiling, which bear directly on AI in credit, fraud and pricing.
What good AI governance looks like for financial services firms.
The Board AI Scorecard measures five areas. Here is what each means in your sector.
Accountability & board oversight
A named Senior Management Function holder owns AI risk in their Statement of Responsibilities, with a clear escalation path to the board and its risk committee.
AI policy & controls
AI use is governed through your existing model risk, conduct and resilience policies, aligned to the FCA Principles and the Consumer Duty rather than written as a standalone technology rule.
Risk, transparency & assurance
Every AI model in credit, pricing or fraud is validated and monitored to SS1/23 expectations, tested for bias against vulnerable and protected groups, and held within stated impact tolerances.
Data & security
Controls keep transaction, affordability, KYC and biometric data out of generative AI tools and govern the third-party and cloud AI dependencies behind important business services.
Board literacy & capability
Directors fluent in credit, market and conduct risk are equipped to challenge model explainability, training-data bias and validation rather than deferring to the CRO or model risk team.
Questions your board should be asking.
- Which named Senior Management Function holder owns AI risk, and is it written into their Statement of Responsibilities with a clear escalation path to the board?
- For every AI model in credit, pricing or fraud, can we explain its decisions to a customer and the FCA, and have we tested it for bias against vulnerable and protected groups under the Consumer Duty?
- How do our machine-learning models meet the model risk governance and independent validation expectations of PRA SS1/23, and who signs off that they remain within tolerance?
- Where AI makes or heavily influences decisions about individuals, are we compliant with UK GDPR Article 22, with genuine human review rather than a rubber stamp?
- Which important business services depend on AI or third-party AI providers, and do those dependencies sit within our operational resilience impact tolerances and concentration limits?
- What prevents customer, confidential or regulated data from leaking into generative AI tools, and how do we govern hallucination and inaccuracy in customer-facing and advisory uses?
Taking these to a meeting? Print the one-page board pack.
We advise your board and build the controls that hold under supervision.
Start with the free Board AI Scorecard, a short read of where your AI governance stands across five areas. The AI Wake-Up Call is a board session that gets directors fluent in the AI decisions in front of them, from model explainability to Consumer Duty and SM&CR ownership. The GovernIQ™ Diagnostic then gives you a scored, board-ready picture and a prioritised plan, after which we advise and build the model governance, validation and data controls the regulator expects. The work is led by Dr Karl George MBE, creator of the tgf Governance Code, and aligned to ISO/IEC 42001, the NIST AI Risk Management Framework, UK GDPR and the NCSC cloud security principles. Governance AI prepares your firm for certification against these standards. It does not issue it.
See where your board stands before the FCA asks.
Take the free Board AI Scorecard. It takes a few minutes and tells you where your AI governance is exposed. Or book a short conversation with us.