FCA AI governance SM&CR accountability means a named Senior Management Function holder can show reasonable steps over each AI use case: approved purpose, customer outcome risk, data basis, model control, human review, monitoring, incident route and a decision record that survives challenge.
The FCA has not written a separate AI rulebook. Its current AI approach says it will rely on existing frameworks, and its AI Update treats the FCA as technology-agnostic, principles-based and outcomes-focused. For financial services boards, the question is therefore not whether an AI regulation has arrived. It is whether the existing Senior Managers and Certification Regime can see who owns the system and what evidence they had when it caused, avoided or escalated harm.
Key takeaways
- A named SMF remains accountable for the function AI supports; accountability cannot be parked with a vendor, data science team or model committee.
- The evidence test is "reasonable steps", not model perfection. The record should show allocation, controls, monitoring, escalation and independent challenge.
- Consumer Duty turns AI governance into an outcomes question: the board needs evidence that AI-influenced decisions are not creating foreseeable customer harm.
- PRA SS1/23 gives banks and PRA-designated firms a model risk structure: inventory, classification, governance, development, validation and mitigants.
- UK GDPR and the Data (Use and Access) Act 2025 add human intervention and challenge rights where personal data drives significant automated decisions.
- The practical artefact is a decision ledger: owner, approved use, model version, input class, output, human decision, control breach and review date.
FCA AI governance SM&CR accountability starts with a named SMF
The Senior Managers Regime requires every Senior Management Function holder to have a Statement of Responsibilities setting out what they are responsible and accountable for. If a firm breaches an FCA requirement, the SMF responsible for that area may be held accountable if they did not take reasonable steps to prevent or stop the breach.
That is the useful starting point for AI. The board does not need to invent an "AI owner" if the system is plainly performing an existing business function. A lending model belongs with the accountable executive for credit risk and customer outcomes. A claims triage model belongs with the executive who owns claims operations. A surveillance model belongs with the executive who owns the relevant control function.
The FCA Handbook overview of SM&CR is explicit that responsibilities should be allocated among SMF managers, and that enhanced firms should maintain a management responsibilities map. The AI question is whether the map still reflects reality after automation. If a model now determines a price, a referral, an eligibility outcome or the next action shown to staff, the map should show who owns that function when the model acts.
The conduct rules make this practical. COCON 2.2 says a senior manager must take reasonable steps to ensure the business they are responsible for is controlled effectively, complies with regulatory standards, and that delegated responsibilities are overseen. COCON 4.2 adds the control evidence: clear assignment, defined reporting lines, suitable policies, monitoring, investigation of suspected problems and timely action on recommendations.
What the board and SMF need to decide
A board paper on a material AI use case should not ask for a vague approval of "AI". It should ask for a bounded decision a senior manager can later evidence.
- Which regulated function, product or customer journey is the AI system allowed to affect?
- Which SMF owns the function, and does their Statement of Responsibilities or responsibilities map need an update?
- What customer outcome, prudential, conduct, privacy or operational risk could the system create?
- What decisions must remain human, and what thresholds force escalation?
- What management information will the SMF and board receive, and how often?
- What event pauses or rolls back the system: drift, bias signal, complaint pattern, outage, vendor change or control breach?
This is also where the board should separate three roles that are often blurred. The product owner can own delivery. The model owner can own technical performance. The SMF owns the regulated function and its outcomes. Those roles may sit in the same committee pack, but they should not be collapsed into one unexplained line.
The Bank of England and FCA 2024 survey shows why the allocation matters. It found 75% of respondent firms were already using AI, with a further 10% planning to do so within three years. Among firms using AI, 84% had an accountable person or persons for the AI framework, and 72% of firms using or planning to use AI allocated accountability for AI use cases and outputs to executive leadership. That is progress, but the board should still ask whether the named accountability follows each real use case into the line of business.
Controls and evidence the SMF needs
Reasonable steps are shown by records, not assurances. The artefacts below are the minimum evidence set a board should expect before a material AI system goes live, and again when it materially changes.
| Control | Evidence the board or SMF should hold | Owner |
|---|---|---|
| Use-case approval | Board or committee minute naming the system, purpose, approved scope, limits and review date | Accountable SMF |
| Responsibilities allocation | Statement of Responsibilities impact assessment, responsibilities map update or clear rationale for no change | Company secretary and accountable SMF |
| Customer outcome assessment | Consumer Duty assessment covering foreseeable harm, vulnerable customers, fair value, understanding and support | Product owner with Compliance |
| Model inventory entry | Model class, version, data sources, vendor status, materiality, limitations and dependency map | Model risk owner |
| Validation and challenge | Pre-live testing, independent validation where proportionate, bias checks, explainability note and acceptance of residual risk | Risk or model validation function |
| Human review route | Thresholds for referral, named human decision-maker, override reason codes and customer challenge process | Operations owner |
| Decision ledger | Append-only record of input class, model output, confidence, reason code, human accept or override, timestamp and model version | Product and engineering owner |
| Monitoring pack | Outcome MI, complaints, drift, override rates, false positives, false negatives, vulnerable-customer signals and incidents | Accountable SMF |
| Vendor control | Due diligence, contract terms, change notification, data processing terms, exit plan and concentration risk assessment | Procurement with Legal and Risk |
| Incident response | Pause criteria, rollback route, regulatory notification assessment and post-incident review | Accountable SMF and Compliance |
Two of those controls are where weak programmes usually fail. First, the ledger must be append-only. If the record can be edited after a complaint, it is not evidence. Our note on an append-only decision ledger sets out the engineering pattern. Second, the human review route must be designed before go-live. A confidence floor with reason codes is one practical way to make the model stop below an agreed threshold and route the case to a named person.
For the broader sector position, read our financial-services pillar on AI governance for financial services. This article is narrower: it is the board and SMF evidence pack underneath that position. For the model inventory, validation and monitoring layer, use the AI model-risk governance checklist.
Framework mapping: one control record, several regimes
The same evidence record can serve several obligations if it is built deliberately.
| Regime | What it asks of AI governance | Evidence that connects the regime to the system |
|---|---|---|
| SM&CR | Clear senior-manager accountability, reasonable steps, controlled delegation and monitoring | Named SMF, responsibilities map, control attestation, monitoring pack and incident record |
| Consumer Duty | Strategies, governance and customer monitoring that deliver good outcomes | Outcome assessment, governing-body report, customer harm triggers, vulnerable-customer checks and action log |
| PRA SS1/23 | Model identification, governance, development, validation and mitigants for in-scope firms | Model inventory, risk classification, validation report, limitation register, monitoring and mitigant record |
| UK GDPR and DUAA | Lawful processing, safeguards for significant automated decisions and human intervention where required | DPIA, lawful basis, Article 22A-22D assessment, human review route and challenge log |
| Operational resilience | Important business services remain within tolerance when technology or vendors fail | Service map, vendor dependency, fallback process, impact tolerance and test evidence |
The Consumer Duty rules in PRIN 2A require firms to reflect the Duty in governance and leadership, prepare a governing-body report on monitoring, and agree action where retail customers may not receive good outcomes. AI systems that personalise pricing, triage complaints, route customers, shape advice or detect fraud should feed that report with outcome data, not sit in a separate innovation pack.
For banks, building societies and PRA-designated investment firms in scope, PRA SS1/23 gives a mature structure. Its five themes are model identification and classification, governance, development and use, independent validation, and mitigants. The PRA page also says responsibility for the overall model risk management framework should be allocated to the most appropriate SMF holder, and that AI and machine-learning modelling risks should be managed where they apply to models more generally.
Where personal data is involved, the data protection record matters. The ICO says the DUAA opens up lawful bases for significant automated decisions using personal information, subject to safeguards, while special category data remains more protected. The GOV.UK factsheet states that section 80 replaces Article 22 with Articles 22A-D and keeps safeguards such as information, representations, challenge and human intervention.
Common mistakes that leave the SMF exposed
The Treasury Committee's January 2026 report on AI in financial services captured the central tension. Regulators told the Committee that existing frameworks have enough bite, while stakeholders described uncertainty about how SM&CR applies to AI. The Committee recommended that by the end of 2026 the FCA should publish practical guidance on consumer protection rules and the level of assurance expected from senior managers.
Until that guidance lands, the weak positions are already visible.
Treating AI as a technology risk only. A model in a customer journey is a conduct and outcomes risk. It belongs in the product, compliance and board evidence pack, not only in IT risk.
Naming a committee instead of a person. Committees challenge, record and recommend. SM&CR still needs a named accountable executive for the function.
Relying on vendor assurance. Vendor documents help, but they do not show what the firm deployed, what data it used, what customer outcomes resulted, or which human could intervene.
Approving a pilot with no exit conditions. A pilot that touches customers still needs pause criteria, complaint monitoring and a rollback route. "Pilot" is not a control.
Keeping audit trails in editable systems. If staff can rewrite the record after an adverse outcome, the audit trail will not carry the weight the SMF needs.
Letting explainability sit outside complaints handling. Customers and supervisors will ask why a decision happened. The answer must connect model output, reason code, human review and final decision.
Next step: test the evidence before the supervisor asks
Start with one live AI use case that affects customers, pricing, eligibility, fraud, complaints, advice, claims or financial crime controls. Ask for the board paper, named SMF, model inventory entry, validation record, decision ledger, human review route and latest outcome MI. If the pack cannot be assembled inside a day, accountability is probably written in policy but not yet built into the system.
The free Board AI Scorecard gives directors and senior managers a structured first pass over that evidence. For a deeper review, our AI governance diagnostic maps your actual AI use against SM&CR, Consumer Duty, model risk and data protection, then leaves the board with an evidence-backed action plan.
Sources: FCA AI approach · FCA AI Update · FCA Senior Managers Regime · FCA Handbook SYSC 23.3 · FCA Handbook COCON 2.2 · FCA Handbook COCON 4.2 · FCA Handbook PRIN 2A · Bank of England and FCA AI survey 2024 · PRA SS1/23 · Treasury Committee report on AI in financial services · ICO DUAA guidance · GOV.UK DUAA factsheet
