A pricing model nudges a customer into a higher premium band. A fraud engine declines a payment. An eligibility check routes an application away from a human. None of those decisions waited for an AI Act, and none of them are unregulated. The firm that built them is already answerable for the outcome under rules it has lived with for years.
That is the position most UK financial services firms are now in. The Bank of England and FCA's 2024 survey found around 75% of firms already using AI, with a further 10% planning to within three years; 55% of use cases involved automated decision-making (Bank of England, April 2025). There is no AI-specific FCA handbook chapter governing any of it. There does not need to be. The existing rulebook already reaches the AI, because it is written around outcomes and accountability rather than the technology that produces them.
Key takeaways
- There is no AI-specific FCA rulebook; the FCA and PRA reaffirmed a technology-neutral, outcomes-focused stance on 1 April 2026, applying existing rules to AI.
- Four existing regimes already bind your AI: Consumer Duty, SM&CR, PRA SS1/23 on model risk, and operational resilience — none needed amendment to reach it.
- Where personal data drives a significant decision, UK GDPR's new Articles 22A-22D (in force 5 February 2026) preserve the rights to human review and to contest it.
- "The model did it" is not a defence under Consumer Duty; you must be able to reconstruct why a particular customer received a particular outcome.
- The work is engineering, not a policy document: a recorded named decision-maker, an audit trail you cannot quietly edit, and explainability that survives a complaint.
There is no AI rulebook because the regulators chose not to write one
UK financial regulators have deliberately declined to create AI-specific rules. Their approach is technology-neutral and outcomes-focused: they apply the frameworks firms already operate under, regardless of whether a decision is made by a person, a spreadsheet, or a model. The FCA and PRA reaffirmed that technology-agnostic stance on 1 April 2026 (FCA, AI and the FCA: our approach).
This is the same shape as the wider UK picture: the country has no single AI statute, and governance runs through existing sector regulators applying five cross-cutting principles. In financial services those principles land on top of rules that already have teeth.
The practical consequence is uncomfortable for anyone hoping a future rulebook will tell them what "good" looks like. The obligations are live now. Practical regulator guidance on Consumer Duty and SM&CR was pressed for by the Treasury Committee in January 2026 and is expected by end-2026, but the duties themselves do not start when the guidance lands. They started when you deployed the model.
Four frameworks already bind your AI
Four existing regimes do most of the work. Each was written for a world of human and statistical decisions, and each extends to AI without amendment.
| Framework | What it already requires | Where AI lands |
|---|---|---|
| Consumer Duty | Good outcomes and fair value across products, price, understanding and support | Any model that shapes pricing, eligibility, advice or service quality |
| SM&CR | A named senior manager accountable for a function and its outcomes | The senior manager remains accountable when a model performs the function |
| PRA SS1/23 (model risk management) | Identification, validation, monitoring and governance of models | AI/ML models sit inside scope; firms are extending it to generative and agentic systems |
| Operational resilience / Critical Third Parties | Important business services stay within impact tolerances; concentration risk is managed | Dependence on cloud and foundation-model providers |
Consumer Duty does not care how the unfair outcome was produced
Consumer Duty requires firms to deliver good outcomes and fair value, and to evidence that they have. It is outcomes-based by design, which is precisely why it reaches AI without mentioning it. If a pricing model produces a worse outcome for a vulnerable customer, the Duty has been breached whether the model is a logistic regression or a large language model. "The model did it" is not a defence; it is an admission that you cannot evidence the outcome.
The evidential burden is the hard part. You have to be able to show, after the fact, why a particular customer received a particular outcome. A model that cannot explain its reasoning, or whose decisions cannot be reconstructed, leaves you unable to discharge the Duty even if the outcomes happen to be fair.
SM&CR means a named person owns the model's decisions
The Senior Managers and Certification Regime attaches individual accountability to functions. When AI takes over a function a person used to perform, the accountability does not evaporate into the model. A named senior manager still answers for the outcome. That reframes the governance question from "is the AI compliant?" to "can the accountable individual demonstrate they had reasonable oversight of what the AI did?"
In practice that is a documentation and design problem before it is a legal one. The senior manager needs a record of what the model was allowed to decide, what it actually decided, and where a human stood in the loop. Without that, the regime exposes a person, not just a firm.
SS1/23 already governs the model, and AI is just a harder model
The PRA's Supervisory Statement SS1/23 on model risk management is the most directly applicable of the four. It is a mature framework for identifying models, validating them, monitoring performance and governing change. AI and machine-learning models sit inside its scope, and firms are now stretching it to cover generative and agentic systems, with genuine industry debate about how far the existing validation expectations carry across.
If you already run model risk management to SS1/23, the work is extension, not invention: bringing AI models into the inventory, deciding how you validate a model whose behaviour is probabilistic, and defining monitoring for drift you cannot fully specify in advance. If you do not, AI is not the place to start the discipline — but it is the place that will expose its absence.
UK GDPR's new Articles 22A-22D apply where personal data is involved
For most customer-facing AI, the binding regime that already applies is data protection law, and it changed this year. The Data (Use and Access) Act 2025 reshaped the UK's automated decision-making rules. Its section 80 came into force on 5 February 2026, repealing the old Article 22 of the UK GDPR and replacing it with new Articles 22A-22D (ICO, DUAA 2025: what it means for organisations).
The reform relaxes the previous near-prohibition on solely-automated decisions. Firms can now rely on broader lawful bases, including legitimate interests, for solely-automated decisions that do not involve special-category data. The stricter protections — and the rights to human review and to contest the decision — are preserved where special-category data is used or where the decision is significant. In financial services, eligibility, pricing and fraud decisions are exactly the "significant" category this is written for.
Note on guidance status: the ICO launched a consultation on updated automated decision-making and profiling guidance on 31 March 2026, which closed on 29 May 2026, with final guidance expected summer 2026. Treat that ADM guidance as draft until it is published; the statutory Articles are in force, but the detailed expectations are not yet settled.
The ICO is the lead regulator wherever AI processes personal data. A firm that can rely on a broader lawful basis still has to honour the right to human review and contestability — which, again, is a design requirement, not a policy paragraph.
The work is engineering, not a policy document
The pattern across all four frameworks is the same: each demands that you can reconstruct a decision, name who was accountable, and show where a human could intervene. Those are properties of a system, and they are far cheaper to build in than to retrofit.
Three controls do most of the load-bearing, and each can be enforced in code rather than promised in a policy:
- A named decision-maker, recorded. SM&CR accountability and the GDPR right to human review both need a person in the loop whose decision is logged with their identity and a timestamp. In one of our builds, a confidence floor and reason codes let deterministic code overrule the model and route the case to a human when certainty drops below a configured threshold — the human decision is the one that takes effect.
- An audit trail you cannot quietly edit. Consumer Duty and SS1/23 both turn on after-the-fact evidence. An append-only decision ledger — recording the model, its input, its output and the human's accept, modify or reject — is the artefact a supervisor will ask for. If the record can be changed, it is not evidence.
- Explainability that survives a complaint. When a customer contests a decision, you need to show why it was made. A model that produces a number with no traceable reasoning cannot discharge either the Duty or the Article 22A-22D review right.
This is the through-line in how we build the systems we govern: the governance is a property of the code, not a document stapled to it. A confidence floor that overrules the model, or a decision ledger that cannot be rewritten, is worth more in front of a supervisor than any framework alignment claim.
What about the EU AI Act?
If your firm places AI on the EU market, serves EU customers, or its AI output is used in the EU, the EU AI Act reaches you extraterritorially even though the UK is outside it. Credit scoring and certain insurance use cases fall within its high-risk tier. The high-risk application dates were pushed back under the 2026 Digital Omnibus to 2 December 2027 for stand-alone systems and 2 August 2028 for systems embedded in regulated products — though these amendments were still completing the EU legislative process as of late May 2026, so confirm final adoption before relying on the dates. The Act is a separate, binding regime; do not assume the UK's lighter-touch posture covers your EU exposure.
Where to start
If you are running AI in an FCA or PRA-regulated firm, three questions surface most of the exposure:
- Can you reconstruct any individual AI-influenced decision — its inputs, the model's output, and the human who signed it off?
- Is there a named senior manager who can evidence reasonable oversight of each AI system performing a regulated function?
- Where personal data drives a significant decision, can a customer obtain human review and contest it, as Articles 22A-22D require?
If the answer to any of these is "not cleanly," that is the gap to close before guidance arrives — not after. The same evidential discipline a combined authority asks for before public-sector AI goes live is what a financial supervisor will ask for, framed in different vocabulary.
Last reviewed: 29 May 2026.
If you are mapping your AI estate against Consumer Duty, SM&CR, SS1/23 and the new ADM rules, it is worth a short conversation about where your exposure actually sits. See how we build and govern these systems, or get in touch.
