The FCA has made its position on AI clear: no new rules. Existing frameworks apply. Consumer Duty. SM&CR. Operational resilience. Work it out.
This is being reported as the regulator taking a light touch. It isn’t. It’s the regulator telling every financial services firm in the UK that they are already accountable for how they use AI, and that when something goes wrong, the absence of AI-specific rules will not be a defence.
The Treasury Committee said as much in January. Their conclusion was blunt: the FCA is not doing enough to manage the risks AI presents, and their “wait and see” approach exposes consumers to serious harm. The Mills Review, launched the same week, is now examining how AI will reshape retail financial services by 2030, with recommendations to the FCA Board due this summer.
For mid-size firms, this creates a specific problem. The wealth managers, financial planners and insurance intermediaries with 50 to 250 people are subject to the same regulatory obligations as the largest institutions. But they don’t have an AI strategy team, a Chief AI Officer or a dedicated governance function. They have a CEO who is commercially excellent, a compliance team that is already stretched and a growing number of AI tools that nobody formally owns.
The gap between using AI and governing it
Most financial services firms at this scale are already using AI. Not in some grand strategic way. In the practical, daily sense. Staff are using ChatGPT to draft client communications. Teams are piloting tools for research, for compliance checks, for summarising meeting notes. Someone in operations has connected an API to speed up a process. It works. Nobody objects. Nobody documents it.
The adoption happens before the governance. In a regulated environment, that sequence is dangerous. Not because the tools are bad, but because the accountability structure hasn’t caught up.
Under SM&CR, a Senior Manager is personally accountable for the outcomes produced in their area of responsibility. That includes outcomes produced by AI systems they may not fully understand, deployed by staff who may not have sought approval, processing client data in ways that may not have been assessed against Consumer Duty requirements.
The question isn’t whether your firm is using AI. It almost certainly is. The question is whether anyone can explain, to a regulator, exactly what AI is doing, where, why and who is accountable for the results.
Why architecture matters more than policy
The instinct when this problem becomes visible is to write a policy. An AI acceptable use policy. A set of guidelines. Maybe a committee.
Policy is necessary. But policy alone is a request. It asks people to behave in a certain way. Architecture is a constraint. It makes certain behaviours structurally impossible. In regulated environments, the difference between the two is the difference between hoping for compliance and engineering it.
A financial planning firm that has a policy saying “don’t enter client data into public AI tools” is relying on every adviser, every day, making the right judgement call. A firm that has provisioned a governed AI environment where client-facing tools are ring-fenced, auditable and access-controlled has built the constraint into the system. The first approach fails at scale. The second one doesn’t.
This isn’t about choosing expensive enterprise AI platforms. It’s about making deliberate architectural decisions. Where AI can access client data and where it can’t. What outputs require human review before reaching a client. How decisions made by AI are logged in a way that satisfies SM&CR accountability requirements. How the firm can demonstrate this to the FCA if asked.
What the Altruist moment means for you
In February, a US startup called Altruist launched an AI-powered tax planning tool. It generated personalised strategies in minutes. UK wealth manager share prices dropped immediately. St James’s Place fell 13%. AJ Bell dropped 8%. Quilter declined 5%.
The market was not reacting to a single product launch. It was pricing in a structural shift: AI-driven tools can now compress the advisory work that justifies current fee structures. The question for every mid-size wealth firm is not whether this technology arrives in the UK. It is whether you are positioned to use it or be displaced by it.
The firms that will navigate this well are not the ones that adopt AI fastest. They are the ones that adopt it most deliberately, with clear governance, clear accountability and an architecture that makes responsible AI the default rather than the exception.
What a governed approach actually looks like
For a firm of 50 to 250 people in financial services, an AI strategy doesn’t need to be a 60-page document. It needs to answer five questions.
Where is AI already being used, formally and informally, across the business? What client data is being processed by AI tools, and is this documented? Who is the accountable Senior Manager under SM&CR for AI-related outcomes? What is the firm’s position on AI-assisted client communications and advice? Can the firm demonstrate, today, that its AI use complies with Consumer Duty?
If any of those questions produce silence, the firm has a governance gap that exists right now. Not at some future point when the FCA publishes new rules.
The FCA has already said it won’t publish AI-specific rules. It doesn’t need to. The existing frameworks are sufficient to hold firms accountable. What’s missing is not regulation. It’s the internal architecture that connects AI tools to the accountability structures regulation already requires.
That’s not a technology problem. It’s a leadership problem. And it’s solvable, if someone owns it.
Leave a Reply