AI model risk governance FCA firms should start with a complete model inventory, a named accountable senior manager, independent validation, monitoring evidence and customer-outcome controls. The board question is not whether AI is allowed. It is whether each model can be evidenced under existing rules.
The regulatory starting point is already clear. The FCA says it does not plan to introduce extra AI regulations and will rely on existing frameworks, including Consumer Duty and accountability rules, in its AI approach. The Bank of England and FCA's 2024 survey found 75% of respondent firms already using AI, 55% of AI use cases involving some automated decision-making, and one third of current use cases implemented through third parties in the AI in UK financial services survey. That makes model risk a live board matter, not a future policy exercise.
Key takeaways
- Existing FCA and PRA regimes already govern AI models: Consumer Duty, SM&CR, SS1/23, operational resilience and UK data-protection accountability each ask for evidence, not AI-specific slogans.
- The first board artefact is a model inventory that includes vendor and embedded AI, not only internally built scoring models.
- Risk committees should ask for validation evidence, drift monitoring, override records, incident triggers and named senior-manager accountability before approving material deployment.
- Customer-facing models need outcome testing under Consumer Duty and privacy-risk assessment where personal data is processed, not only accuracy metrics.
- Third-party foundation models do not transfer accountability away from the firm; the survey evidence points to rising third-party concentration and partial understanding.
Who this applies to
This playbook is for FCA-regulated and dual-regulated financial-services firms using AI in pricing, fraud detection, credit decisioning, advice triage, financial promotions review, complaints handling, customer support, regulatory reporting or internal risk work. For the broader sector baseline, read our financial-services AI governance playbook.
PRA SS1/23 applies directly to regulated UK-incorporated banks, building societies and PRA-designated investment firms with internal model approval for specified capital models, but its logic is useful beyond that legal perimeter. The PRA describes five model-risk principles: identification and classification, governance, development and use, independent validation, and mitigants, in SS1/23. FCA solo-regulated firms should not pretend SS1/23 binds them if it does not. They should still recognise the supervisory direction: material models need ownership, evidence and control.
What AI model risk governance FCA firms need to decide
The board or risk committee should make five recorded decisions before a material AI model goes live or is materially changed:
- Scope: which AI systems count as models, including vendor models, embedded decision engines and foundation-model features.
- Accountability: which Senior Management Function or executive owner is accountable for the model, its use case and its outcomes.
- Risk appetite: what level of error, bias, drift, operational dependency and customer harm is acceptable for this use case.
- Validation: what independent evidence is required before deployment, and what evidence triggers withdrawal or manual review.
- Customer and service impact: how the model affects Consumer Duty outcomes, important business services and data-protection rights.
SM&CR makes this a personal accountability issue. The FCA says every Senior Management Function holder must have a Statement of Responsibilities, and that the Duty of Responsibility can attach where the responsible SMF did not take reasonable steps to prevent or stop a breach, in its Senior Managers Regime guidance. For AI, the reasonable-steps file is the inventory, approval minute, validation pack, monitoring dashboard and incident record.
Controls and evidence the risk committee should expect
The control test is simple: could the firm reconstruct the model's approval, operation and customer effect six months later, after a complaint, outage or supervisory question?
| Control | Evidence | Owner |
|---|---|---|
| Model inventory | Register entry covering purpose, owner, data sources, vendor dependency, customer impact, materiality and last review date | Chief risk officer or model-risk lead |
| Senior-manager accountability | Statement of Responsibilities mapping, committee minute and named accountable executive | SMF holder or equivalent executive owner |
| Independent validation | Validation report, challenge log, limitations accepted, residual risks recorded and deployment decision | Model validation or second-line risk |
| Consumer outcome testing | Segment-level outcome analysis, vulnerable-customer checks, complaint themes and fair-value assessment | Consumer Duty owner |
| Data-protection assessment | DPIA, lawful-basis record, human review path and privacy-risk mitigants where personal data is processed | DPO or privacy lead |
| Operational dependency | Important business service mapping, impact tolerance assessment, vendor exit option and manual workaround | COO, resilience lead or technology risk |
| Live monitoring | Drift, performance, override, incident, complaint and false-positive measures with thresholds and escalation | Model owner |
| Decision audit trail | Append-only record of input, model output, human override and final decision for material use cases | Product, operations or engineering owner |
Two engineered controls matter in practice. A confidence floor with reason codes gives deterministic code the power to withhold automation and route low-certainty cases to a person. An append-only decision ledger records what the model proposed, who accepted or changed it, and when. Those controls turn governance into evidence.
Framework mapping for model risk
No single framework is enough on its own. The board should map each material model across the regimes that will be used to judge it.
| Framework | What it adds | Evidence question |
|---|---|---|
| PRA SS1/23 | Model identification, classification, governance, development, independent validation and mitigants | Can we show the model's lifecycle record and independent challenge? |
| FCA Consumer Duty | Customer outcomes, fair value, understandable communications and support needs, set out by the FCA's Consumer Duty page | Can we show the model improves or protects customer outcomes by segment? |
| SM&CR | Named senior-manager responsibility and reasonable-steps evidence | Can a named person explain what they approved, monitored and escalated? |
| Operational resilience | Important business services, impact tolerances, mapping, testing and lessons learnt, described by the FCA's operational resilience guidance | If the model or provider fails, can the service remain inside tolerance? |
| ICO AI guidance | Accountability, DPIAs, human involvement and data-protection-by-design for AI processing personal data, set out in the ICO's AI accountability guidance | Have we assessed individual-rights risk and recorded meaningful human review where required? |
| NIST AI RMF | Govern, Map, Measure and Manage as a practical risk-management cycle, including third-party AI risk monitoring in the AI RMF Core | Do we know the context, measure the risk and manage it after deployment? |
| ISO/IEC 42001 | A management-system wrapper for AI governance, risk assessment, treatment and continual improvement, summarised by ISO | Can the firm evidence a repeatable management system rather than one-off approvals? |
The FCA's AI approach is deliberately technology-neutral. That helps firms that already have mature model-risk processes, but it punishes vague ownership. A model can be outside SS1/23 and still create Consumer Duty exposure. A chatbot can be outside capital modelling and still disrupt an important business service. A vendor model can sit outside the firm's codebase and still sit inside the firm's accountability.
Common mistakes that weaken evidence
The first mistake is treating the model inventory as a list of internal builds. The Bank and FCA survey found one third of current AI use cases were third-party implementations, with the top three model providers accounting for 44% of all named model providers. A risk register that misses vendor AI is describing the easier half of the estate.
The second mistake is separating model accuracy from customer outcomes. Accuracy against a validation dataset does not prove fair value, fair treatment or adequate support. A fraud model that reduces losses can still produce unacceptable false positives for a vulnerable customer group. Consumer Duty makes that a governance question.
The third mistake is recording a committee approval without a withdrawal trigger. The NIST AI RMF Manage function expects risk responses, monitoring, appeal, override, decommissioning and incident response to be documented. A board pack that approves deployment but does not state what stops deployment has left the hardest decision to whoever notices the failure first.
The fourth mistake is relying on vendor assurance without a firm-side explanation. The Bank and FCA survey found 46% of respondent firms reported only partial understanding of the AI technologies they use, compared with 34% reporting complete understanding. Partial understanding is not automatically a breach, but it changes the evidence requirement: stronger contractual rights, monitoring, exit planning and human review.
Next step: make the model inventory board-ready
Start with the inventory, then ask whether each material model has a decision owner, a validation pack, a monitoring threshold, an override path and a customer-outcome test. If the answer is unclear, the governance gap is already visible.
For a fast board-level diagnostic, complete the Board AI Scorecard and use the result to prioritise which models need deeper review. If your firm is already mapping AI against Consumer Duty, SM&CR and SS1/23, pair the model register with the SM&CR accountability evidence pack so named ownership and model evidence stay connected. The next artefact should be a board-ready model register that links policy, evidence and controls rather than a spreadsheet of model names.
Sources: Bank of England and FCA AI survey · FCA AI approach · PRA SS1/23 · FCA Senior Managers Regime · FCA Consumer Duty · FCA operational resilience · ICO AI accountability guidance · NIST AI RMF Core · ISO AI management systems.
