AI that improves performance | The Briefing Room

AI in financial services: what's cleared compliance and what hasn't

The FCA won't hand you a list of approved AI uses; that isn't how it regulates. Here's what's cleared, and how to reframe compliance.

AI in financial services: what's cleared compliance and what hasn't

A note before we start: this piece describes the regulatory landscape as it stands and the compliance questions your firm should be asking. It is not legal advice and should not be treated as such. If you're making specific decisions about AI deployment in a regulated environment, get proper regulatory counsel involved. I'd also recommend having someone with current FCA expertise review any governance framework before you rely on it.

Right. Let's get into it.

Eighty-five percent of financial services firms are now applying AI somewhere in their operations. Only 29% report meaningful cost savings. That gap - between adoption and actual benefit - is where most of the interesting conversations are happening right now. And in my experience, the single biggest reason for that gap isn't the technology. It's compliance paralysis.

I was with the CTO of a mid-sized wealth management firm a few months ago. Smart guy, good instincts, genuinely excited about what AI could do for his business. He'd identified four use cases, built a rough business case, and taken it to his compliance team. Their response? "We can't approve anything until the FCA tells us what's allowed." That was eleven months ago. Nothing has moved. The use cases are still sitting in a shared folder. The competitors he was worried about have shipped two of the four.

The thing is, his compliance team isn't wrong - in a narrow, technical sense. The FCA hasn't published a list of approved AI applications. It hasn't said "you may use large language models for X but not for Y." And if you're waiting for that kind of explicit permission, you will wait forever. Because that's not how the FCA regulates.

The FCA published a discussion paper on AI and machine learning (DP22/4) back in 2022, contributed to the UK AI Safety Summit, and participated in subsequent policy consultations. Through all of that, the message has been remarkably consistent. Existing regulatory principles - Principle 11 on senior management responsibility, the Consumer Duty, SYSC governance requirements, MiFID algorithmic trading rules - apply to AI exactly as they apply to any other tool or process you deploy. The FCA doesn't require pre-approval of AI applications. It requires that you can demonstrate your AI applications are governed in a way that meets your existing regulatory obligations.

That's a fundamentally different proposition from "we're not allowed." And once you grasp it, the conversation changes completely.

What's cleared in principle

Let me be precise here. "Cleared in principle" doesn't mean "no regulatory risk." It means there's established precedent, understood governance requirements, and firms across the sector are using these applications with their compliance teams' blessing. You still need proper governance. But you're not in uncharted territory.

Fraud detection and prevention. AI models in fraud detection have been used by FCA-regulated firms for well over a decade. This is probably the most mature AI application in financial services. The regulatory expectations are well-understood, the precedent is strong, and the FCA has been broadly supportive of firms using sophisticated pattern recognition to catch fraud faster. If your compliance team is blocking AI-assisted fraud detection, something has gone sideways in the internal conversation.

Regulatory reporting assistance. AI tools that help produce regulatory reports - formatting, consistency checking, completeness verification - are widely deployed across the sector. The regulatory risk is low provided human review is maintained on the output. You're not replacing the judgement; you're reducing the grunt work. Most compliance teams are comfortable with this once they see the human-in-the-loop.

Document processing and classification. AI-assisted KYC and AML document processing, contract review, compliance document classification - these are established applications. The FCA has accepted these in principle. The key is maintaining proper audit trails and ensuring that a qualified person reviews any output that affects a regulatory obligation.

Credit risk modelling assistance. This one carries heavier governance requirements. The PRA's SS3/18 guidance on model risk management applies directly, and the requirements are demanding - documentation of model purpose, training data, validation approach, ongoing monitoring. But the framework exists. Firms are using AI in credit risk assessment. The path is well-trodden, even if it's not simple.

For each of these, the governance question isn't "is this allowed?" It's "can we demonstrate to the FCA that we've governed this properly?" Those are very different questions, and the second one has an answer.

Where the grey areas genuinely are

Some applications sit in territory where the regulatory picture is genuinely uncertain. Not because the FCA is being obstructive - because the technology is moving faster than regulatory frameworks can adapt, and the intersection of existing rules creates genuine ambiguity.

Client-facing advice and suitability assessments. The Consumer Duty's "good outcomes" requirement applies to any output that influences client decisions. The FCA has been clear that using AI doesn't reduce your responsibility for the outcome. But it hasn't specified what AI-assisted suitability assessment must look like in practice. What level of human oversight is sufficient? If an AI model contributes to a suitability recommendation and the recommendation turns out to be unsuitable, where does the accountability sit? These aren't rhetorical questions - they're genuinely unresolved. And I'd be lying if I told you there's an obvious answer.

Automated decision-making without human review. GDPR Article 22 gives individuals rights around solely automated decisions that significantly affect them. Layer the Consumer Duty's "understanding" requirement on top - clients should be able to understand why a decision was made about them - and you've got real complexity. I've seen firms get into genuinely difficult territory here. One compliance director I worked with described a situation where an automated credit decision had been made, the client complained, and nobody in the firm could reconstruct the reasoning in terms the FOS would accept. The model had been accurate. It just couldn't explain itself. That's a different kind of problem.

Predictive analytics for client behaviour. Using AI to predict what clients will do - or to classify clients for differential treatment - carries both Consumer Duty and FCA/FOS risks. If your model produces outcomes that are discriminatory along protected characteristics, and you can't explain why, you're exposed. The challenge is that many AI models produce accurate predictions without being able to articulate the reasoning. In a regulatory environment that demands explainability, that's a structural problem, not a technical one.

For each of these grey areas, the honest answer is: you can proceed, but you need significantly enhanced governance, and you should go in with your eyes open about the residual regulatory risk.

The governance that applies everywhere

Whether you're in the "cleared in principle" category or navigating the grey areas, four governance requirements apply across the board. Think of these as the minimum viable compliance posture for any AI application in a regulated firm.

Model risk management. Document the model's purpose, training data, validation approach, and ongoing monitoring regime. The PRA's SS3/18 was written for credit risk models, but its principles apply in substance to any AI model you're deploying. If you can't describe how the model works, what data it was trained on, and how you're checking it's still performing as intended, you've got a governance gap.

Audit trails. You need to be able to explain any AI-influenced decision to the FCA, the Financial Ombudsman Service, or a client. On demand. Not just the decision itself, but the inputs, the model logic, and the human oversight applied. I sat with a compliance officer last year who described this as "the 3am test" - if the FCA calls at 3am about a specific client decision, can you reconstruct how it was made? If the answer is no, the application isn't ready.

Human oversight. The FCA expects that a qualified person has reviewed and is accountable for any AI-influenced output that affects a client or meets a regulatory obligation. This doesn't mean a human has to check every individual output. But it does mean someone with appropriate expertise is overseeing the system, reviewing samples, and taking accountability for the outputs. "The algorithm did it" is not a defensible position.

Bias monitoring. The FCA's Equality Act obligations and Consumer Duty requirements create a need to monitor AI outputs for discrimination along protected characteristics. Regulatory expectations here are firming up rapidly. If you're deploying any AI model that influences client outcomes, you need to be testing for bias regularly - and documenting what you find.

If you want to assess your firm's AI governance posture against these four dimensions - and identify specifically which applications your current governance would support - we offer a regulated AI readiness assessment that covers exactly this ground. It's particularly useful as a pre-meeting tool before the compliance conversation I'm about to describe.

How to have the compliance conversation

This is the bit that matters most, and it comes from watching this conversation play out badly in about a dozen financial services firms over the past two years.

Our compliance team's position is that we won't use AI for anything client-facing or decision-relevant until we have explicit FCA guidance. That's our safe harbour.

I understand why that feels safe. But it's applying a standard that the FCA itself doesn't use. The FCA regulates outcomes, not applications. It doesn't pre-approve tools. It holds you accountable for how you govern them. Waiting for explicit permission is like waiting for your driving instructor to call and tell you it's OK to drive to Sainsbury's. You passed the test. You know the rules. The responsibility is yours.

That said - and this matters - the answer is not to go around your compliance team. The answer is to change the conversation you're having with them.

The productive version of this conversation starts with a simple reframe. Instead of asking compliance "is this allowed?", ask "what governance would make this compliant?" Instead of presenting a fait accompli, bring them into the design of the governance framework from the start.

Specifically, these are the questions that tend to produce useful, actionable compliance input rather than a blanket "no":

Those questions give your compliance team something to work with. They're not asking for permission - they're asking for a specification. And in my experience, compliance professionals are much more comfortable writing specifications than issuing blanket approvals. It plays to their strengths rather than putting them in a position where they feel they're taking on risk by saying yes.

One CTO I worked with put it well: "We stopped asking compliance if we could use AI and started asking them to help us use AI properly. Same people, completely different outcome." Within six weeks they had a governance framework that satisfied the compliance team and allowed two of the four original use cases to proceed. The other two went into a "requires further work" category with specific, documented requirements for what would need to be true before they could proceed.

That's progress. Firms that get this conversation right typically cut implementation delays from well over a year down to eight or ten months - still not fast, but a lot better than indefinite. And 70% of financial services firms are still relying on legacy systems that limit AI deployment in the first place, so if you're reading this and thinking the compliance conversation is your only barrier, it might be worth checking whether your platforms can actually support what you're trying to do.

Where to start

Stop waiting for a regulatory green light that's never coming. The FCA has told you what it expects - oversight, explainability, governance, accountability. Those expectations are your framework.

Pick one application from the "cleared in principle" list. Build the governance around it. Get compliance involved from day one - not as gatekeepers, but as architects. Document everything. Ship it. Learn from it. Then move to the next one.

The firms getting value from AI in financial services aren't the ones with the fanciest models or the biggest budgets. They're the ones that figured out how to have a productive conversation with their compliance team. Honestly, it's a bit mundane. But it's true.

If you want to assess your firm's AI governance posture against the FCA's current expectations - and identify specifically which applications your current governance would support - book a regulated AI readiness assessment. It's designed to give you a clear picture of where you stand and what you'd need to put in place before each use case can proceed. We also have an AI readiness scorecard for firms that want to benchmark themselves before committing to a full assessment.

Reminder: this piece describes the regulatory landscape and the compliance questions your firm should be asking. It is not legal advice. Before making specific decisions about AI deployment in a regulated environment, take proper regulatory counsel. The FCA's published guidance is updated periodically - verify all regulatory references against the current published position before relying on them.