Skip to content

Board pack · Financial services

The AI questions for your next board meeting.

Six questions for the boards of financial services firms, with the regulators and duties they answer to. Table it, ask each question, and note which answers your organisation could evidence today.

The six questions.

  1. Which named Senior Management Function holder owns AI risk, and is it written into their Statement of Responsibilities with a clear escalation path to the board?
  2. For every AI model in credit, pricing or fraud, can we explain its decisions to a customer and the FCA, and have we tested it for bias against vulnerable and protected groups under the Consumer Duty?
  3. How do our machine-learning models meet the model risk governance and independent validation expectations of PRA SS1/23, and who signs off that they remain within tolerance?
  4. Where AI makes or heavily influences decisions about individuals, are we compliant with UK GDPR Article 22, with genuine human review rather than a rubber stamp?
  5. Which important business services depend on AI or third-party AI providers, and do those dependencies sit within our operational resilience impact tolerances and concentration limits?
  6. What prevents customer, confidential or regulated data from leaking into generative AI tools, and how do we govern hallucination and inaccuracy in customer-facing and advisory uses?

What your board answers to.

  • Financial Conduct Authority (FCA)

    Applies its outcomes-based Principles and SYSC governance rules to AI, expecting the board to evidence that AI-driven decisions are fair, transparent and accountable.

  • FCA Consumer Duty (PRIN 2A)

    Constrains AI in pricing, advice, credit and collections so it cannot exploit vulnerability, embed unfair bias or produce outcomes customers cannot understand.

  • Senior Managers and Certification Regime (SM&CR)

    Makes a named Senior Management Function holder personally accountable for AI risk and model governance, mapped through their Statement of Responsibilities.

  • PRA Supervisory Statement SS1/23

    Sets model risk governance and independent validation expectations that explicitly extend to AI and machine-learning models in capital, pricing and risk.

  • Information Commissioner's Office (ICO) under UK GDPR

    Enforces Article 22 rights on solely automated decisions and profiling, which bear directly on AI in credit, fraud and pricing.

Want to know how your board would answer before the meeting? The Board AI Scorecard scores the five areas these questions test, in about two minutes.