An AI governance checklist for financial services boards should turn each AI use case into a named senior-manager decision, a customer-outcome risk, a model-risk record, an operational resilience dependency and a data-protection evidence pack before approval, launch or material change.
That is the practical version of the FCA's current position. The regulator says its approach to AI is principles-based and outcomes-focused, and that it does not plan to introduce extra AI regulations because it will rely on existing frameworks (FCA AI approach). For the wider context, read our sector hub on AI governance for financial services and the companion article on why financial services AI is already bound by existing rules.
Key takeaways
- Do not wait for a separate FCA AI rulebook. The FCA points firms back to existing Consumer Duty, accountability and governance frameworks for AI (FCA AI approach).
- The board should approve AI by use case, not by tool name: decision rights, customer outcome, model owner, third-party dependency and personal-data impact all need evidence.
- The Bank of England and FCA's 2024 survey found 75% of respondent firms already using AI, so a board inventory should assume live exposure until proven otherwise (Bank/FCA survey).
- UK GDPR safeguards for significant solely automated decisions still require information, representations, human intervention and contestability where Article 22C applies (Data (Use and Access) Act 2025 section 80).
- The useful board pack is not a policy annex. It is the evidence set that lets a senior manager reconstruct how an AI-influenced outcome was approved, monitored and challenged.
Who this applies to
This checklist is for FCA-regulated firms and PRA-regulated banks, insurers and building societies using AI in pricing, lending, underwriting, fraud detection, vulnerability triage, advice support, complaints handling, surveillance, financial crime controls or internal risk operations.
It is not limited to generative AI. The Bank of England and FCA's 2024 survey found AI use across financial services in decision support, process automation, risk management and customer-facing activity, with third-party implementations common (Bank/FCA survey). A board that only asks about chatbots will miss pricing models, fraud rules, claims triage and decision engines that affect customers more directly.
The threshold question is simple: could the system influence a regulated outcome, a customer outcome, a prudential risk, an important business service or a significant automated decision about a person? If yes, it belongs in the board inventory, even if the supplier calls it analytics, automation or a workflow assistant.
What the board must decide
The board does not need to approve every prompt, parameter or vendor ticket. It does need to decide the risk appetite and evidence standard for AI uses that can change a customer's access, price, understanding, support or redress.
Before an AI system is launched or materially changed, the board or delegated risk committee should record decisions on:
- Purpose: the regulated function or business service the AI supports, and why AI is being used instead of a simpler rule or human process.
- Accountability: the senior manager, product owner, model owner and data owner responsible for the system.
- Customer outcome: how the firm will test fair value, understanding, support and foreseeable harm under Consumer Duty, which the FCA describes as requiring firms to put customers' needs first (FCA Consumer Duty).
- Model risk: whether the system sits in the PRA SS1/23 model inventory, how it is validated and what independent challenge is required (PRA SS1/23).
- Human involvement: when a human can accept, reject or alter the system output, and how that decision is recorded.
- Exit route: what happens if the model, supplier, data feed or control fails.
That frame keeps the board in its proper role. It sets the risk boundary and demands evidence, while management owns build, testing and operation.
AI governance checklist for financial services boards
Use this checklist at approval, annual review and material change. A material change includes a new model version, a new data source, a wider customer population, a new supplier dependency or a move from decision support to automated decision.
- Inventory the use case. Record the product, process, customer group, regulated function, model type, data source, supplier and business service affected.
- Name the accountable people. Map the use case to the relevant senior manager, model owner, product owner, data protection owner and operational resilience owner. The FCA says its SM&CR rules emphasise accountability for senior managers (FCA SM&CR).
- Classify the decision. Decide whether the system informs, recommends, ranks, approves, declines, prices or escalates. The stronger its effect on a person, the stronger the evidence standard.
- Test the customer outcome. Define how the firm will detect unfair pricing, exclusion, poor understanding, inadequate support or vulnerable-customer harm.
- Validate the model. Bring the system into the model inventory if it meets the firm's model definition. Evidence validation, limitations, monitoring thresholds and independent review.
- Assess personal-data rights. Where personal data is used in a significant automated decision, record lawful basis, meaningful human involvement, customer information and contestability.
- Check operational resilience. Link the AI use case to any important business service, impact tolerance, critical supplier or recovery plan. FCA operational resilience rules require firms to identify important business services and set impact tolerances (FCA operational resilience).
- Create the audit trail. Keep an append-only record of approval, model version, data source, prompt or configuration, output, human override and post-launch incidents. The control pattern is explained in our guide to an append-only AI decision ledger.
- Agree monitoring. Define drift, bias, complaints, override rates, false positives, false negatives, supplier incidents and customer-outcome indicators.
- Set the stop rule. Name the trigger that pauses the system, sends decisions to humans or reverts to a previous process.
Controls and evidence the board should expect
The board pack should be short enough to read and specific enough to test. A generic AI policy does not prove that a fraud model, underwriting engine or advice assistant is governed.
| Control | Evidence to see | Owner |
|---|---|---|
| Use-case inventory | Register entry with product, process, customer group, model type, data source and supplier | Chief risk officer or AI governance lead |
| Senior-manager accountability | SM&CR mapping, committee approval minute and named accountable executive | Company secretary with risk |
| Consumer Duty assessment | Customer-outcome test plan, vulnerable-customer checks, complaints route and monitoring metric | Product owner |
| Model risk management | Model inventory entry, validation report, limitations note, change log and independent challenge | Model risk function |
| Automated-decision safeguards | Lawful basis, meaningful-human-involvement assessment, customer notice, representation route and contest process | Data protection officer |
| Operational resilience | Important-business-service mapping, supplier dependency, impact tolerance and fallback procedure | Operations or resilience lead |
| Audit trail | Immutable approval and decision record, including model version, input source, output and human action | Technology owner |
| Monitoring and stop rule | Thresholds for drift, harm, false positives, overrides, supplier failure and suspension | Risk committee |
The evidence should be tied to a live system, not a project folder. If a senior manager cannot open the register and find the version approved, the control is not yet board-grade.
Map the checklist to regulators and frameworks
The point of a board checklist is not to decorate a pack with every framework. It is to show how one evidence set answers the main regulatory questions.
| Regime or framework | Board question | Evidence produced |
|---|---|---|
| FCA AI approach | Does the use case satisfy existing outcomes-focused rules rather than waiting for AI-specific rules? | Use-case inventory and rule mapping |
| Consumer Duty | Can the firm evidence good outcomes across value, understanding and support? | Customer-outcome testing and complaints monitoring |
| SM&CR | Which senior manager owns the AI-influenced outcome? | Accountability map and approval minute |
| PRA SS1/23 | Is the AI system governed as a model, with validation and monitoring? | Model inventory, validation report and limitations note |
| Operational resilience | Could AI failure disrupt an important business service? | Impact-tolerance mapping and fallback plan |
| UK GDPR and DUAA | Are significant automated decisions supported by safeguards and meaningful human involvement? | Lawful-basis record, customer notice and contest route |
| ISO/IEC 42001 | Is there a management-system structure for AI governance? | Policy, risk process, roles and continuous improvement evidence, using our ISO/IEC 42001 board guide as the starting point |
| NIST AI RMF | Are AI risks governed, mapped, measured and managed? | Risk taxonomy, measurement plan and action tracking (NIST AI RMF) |
This mapping should connect to the firm's wider UK AI governance framework. If the framework exists only at group level and cannot point to the AI systems in production, it will not answer a supervisor's practical question.
Common mistakes and next step
The first mistake is treating AI governance as a procurement question. Vendor due diligence matters, but it does not replace the firm's own accountability for the customer outcome, senior-manager oversight, model risk, resilience and data rights.
The second is approving a system without a stop rule. A model can pass a launch test and still fail when the customer mix, fraud pattern, supplier model or data feed changes. The board should ask what signal pauses the system before harm accumulates.
The third is confusing human review with meaningful human involvement. The ICO's DUAA summary says a solely automated significant decision is one with no meaningful human involvement, and its safeguards include information, representations, human intervention and contestability (ICO DUAA summary). A rubber-stamp review after the system has effectively decided the outcome is weak evidence.
The fourth is leaving the audit trail editable. If an outcome is challenged by a customer, supervisor or senior manager, the firm needs the version, input, output, human action and approval record as it existed at the time.
Next step: benchmark the current board evidence pack with the Board AI Scorecard. If there are live FCA or PRA use cases with weak accountability, missing model inventory entries or no contest route, move to the AI governance diagnostic and start with the highest-impact customer or prudential process.
Sources: FCA AI approach · Bank/FCA AI survey 2024 · Data (Use and Access) Act 2025 section 80 · FCA Consumer Duty · PRA SS1/23 · FCA SM&CR · FCA operational resilience · NIST AI RMF · ICO DUAA summary
