Sixty-two per cent of financial services firms say AI is a strategic priority. Fewer than one in five have anything running in production.
I've been quoting that stat in meetings for the best part of a year. The reaction is almost always the same: a knowing nod, a slight grimace, and then some version of "We're waiting for more clarity from the regulator."
Which sounds reasonable. Prudent, even. Exactly the kind of thing a well-run, compliance-conscious firm should be saying. Except it's not quite true, is it? The FCA has published guidance on AI and machine learning. The PRA has been clear about model risk management expectations. The Consumer Duty framework, which came into force in July 2023, gives you a solid lens for evaluating whether a client-facing AI application meets the bar. You're not waiting for clarity. You're waiting for certainty. And certainty isn't coming, because that's not how regulation works when the technology is moving this fast.
Meanwhile, the firms that started twelve to eighteen months ago with unglamorous, back-office use cases are now on their second and third applications. They've built governance frameworks. They've got compliance sign-off processes that work. They've got internal muscle memory for how to scope, pilot, and evaluate AI tools. And none of that came from attending another vendor demo or commissioning another strategy deck.
Our compliance team won't sign off on anything involving AI until we have explicit FCA guidance.
I had a version of this conversation with a Head of Compliance at a mid-market wealth manager about eight months ago. She wasn't being obstructive - she was genuinely nervous about putting her name to something she couldn't fully defend to the regulator. I get that. But when we actually sat down and mapped the FCA's existing AI guidance against the three use cases her firm was considering, she was surprised. Not because the path was clear and obvious, but because it was clearer than she'd expected. The governance requirements were real, but they were manageable. What she'd been imagining was a regulatory minefield. What we found was more like a building site - messy, but navigable if you knew where to put your feet.
So here are three specific things your firm can do this quarter. Not theoretical. Not aspirational. Three use cases that fit the technical maturity and regulatory posture of a typical mid-market financial services firm right now, with honest timelines, real governance requirements, and clear ways to measure whether they're working.
I've written companion pieces covering the same exercise for law firms and management consultancies - the approach is the same, but the use cases are sector-specific.
Start here. Not because it's exciting - it isn't - but because it carries the lowest regulatory risk profile and has the most established precedent in financial services.
What it does: continuous monitoring of transactions, communications, or client activity against defined rule sets, with automated flagging of potential issues for human review. If you're currently running manual sampling processes - and most mid-market firms are - you're covering somewhere between 5% and 10% of your actual activity. An automated system covers everything, continuously, and surfaces the exceptions for your compliance team to investigate.
This isn't new technology. Major institutions have been running automated surveillance for years. The RegTech market for this use case has matured considerably - platforms like Behavox, NICE Actimize, and Nasdaq Surveillance are well-established, though I'd check their current positioning and pricing against your specific needs before committing. What was best-in-class eighteen months ago may not be today.
What your compliance team needs to know: The FCA expects firms using automated monitoring to maintain human oversight, documented model governance, and full audit trails. That's not a barrier - it's just good practice. You're not replacing your compliance function. You're giving it better tools and broader coverage.
What it requires from you: Access to the relevant transaction or communication data (which you already have, sitting in your core systems), a compliance team willing to own the model governance documentation, and an IT setup that supports the integration.
Realistic timeline: Four to eight weeks for vendor configuration and initial deployment. But I'll be honest - it takes about six months to reach stable operational use. The first few months involve calibrating false positive rates, which will be annoyingly high at the start. That's normal. Don't let anyone use early false positive rates as evidence that "the AI doesn't work." I've seen that argument kill a perfectly good pilot.
What to measure: Coverage rate versus your current manual sampling baseline, false positive rate trend over the first ninety days, and compliance team time saved per week. If you can't measure those three things, you've scoped the pilot badly.
This one is messier, and I want to be upfront about that - because the way it usually gets sold is cleaner than the reality.
The concept: AI analysis of client communication patterns - email frequency, response times, sentiment in written communications, meeting cadence - to identify early signals of disengagement before they show up in your retention numbers. An early warning system for relationships that are quietly cooling.
I find this genuinely compelling, partly because of a conversation I had with a relationship director at a regional private bank about eighteen months ago. She'd just lost a client she'd managed for eleven years - significant AUM, no obvious trigger, no formal complaint. When she went back through the communication trail afterwards, the pattern was obvious. Emails had got shorter over about four months. Two meetings rescheduled without being replaced. Response times doubling. No single signal was definitive, but together they were telling a story she'd missed because she was managing 140 other relationships at the same time. "I would have caught it," she told me, "if I'd had time to look." That's exactly the problem this use case is built to solve.
But, and this matters, it's less mature than compliance monitoring and carries more complexity around data privacy.
The privacy dimension is real. You're analysing client communications, which means you need a clear legal basis under UK GDPR. Explicit client consent or a documented legitimate interest assessment - and "we thought it would be useful" doesn't qualify as legitimate interest. You need your DPO involved, a Data Protection Impact Assessment completed before deployment, and clients who understand in clear terms how their communication data is being used. The FCA's expectations around client data use add another layer on top.
I should be straight with you: this is an emerging use case in mid-market financial services. We've seen it deployed successfully in larger institutions, and we're working with firms exploring it now, but it's not established in the way compliance monitoring is. If your data governance is already solid and your DPO is willing to engage properly with the DPIA process, it's worth pursuing. If your data governance is still a work in progress - start with use case 1 and come back to this one in six months.
What it requires: CRM data with communication history (most firms have this, but it's usually messier than they'd like to admit), clear data governance documentation, and - critically - a relationship management process that actually acts on the signals. An early warning system is worthless if nobody reads the warnings.
What to measure: Early disengagement detection rate, retention rate in the cohort where signals were acted on versus a control group, and relationship manager time saved in manual relationship health assessment.
Realistic timeline: Longer than use case 1. Two to three months for the data governance and privacy work before you configure anything. Then another three months piloting with a subset of client relationships before broader rollout.
This is the one that gets the most enthusiasm in the room. And the time saving is real - but there's a catch that I want to put front and centre, because I've watched firms skip past it and regret it.
What it does: automated first-draft generation of the standard periodic reports your client-facing teams produce repeatedly. Portfolio updates, performance commentaries, regulatory disclosures - the reports that follow a predictable structure, draw from structured data in your core systems, and consume hours of skilled professional time that could be spent on actual advice.
I sat with an operations director at a mid-market wealth firm a few months back who told me her team spent roughly 40% of their time in the last week of each quarter producing client reports. Forty per cent. Most of it was pulling numbers from one system, pasting them into a template in another system, and writing the same narrative commentary with minor variations for each client. It's exactly the kind of work AI handles well - and exactly the kind of work that makes good people want to leave.
Here's the catch: this use case is directly client-facing. Every report that leaves your firm carries your professional obligations. Your PI insurance covers it. Your regulatory status covers it. The FCA doesn't care whether a human wrote the first draft or an AI did - what matters is that a qualified professional reviewed and approved the final output. The time saving comes from reducing drafting time, not from removing professional review. Anyone who tells you otherwise is selling something dangerous.
Quality assurance is non-negotiable. Design the review workflow before you deploy, not after the first mistake. I've seen firms get excited about the drafting speed, skip the QA design, and then scramble to retrofit it after a report goes out with an error. It's an embarrassing and entirely avoidable situation.
What it requires: A document management system with report templates - or the willingness to standardise them, which is often the harder part - access to the structured data that populates them, and a quality assurance workflow that's been designed, tested, and agreed before you generate a single client-facing draft.
Realistic timeline: Four to six weeks to set up initial templates and test against historical data. Start with one report type - the most standardised, least bespoke one you have. Pilot it. Measure the output quality. Expand from there.
What to measure: Drafting time saved per report, review time as a proportion of total report production time (if review is 80% of the total, your drafting automation isn't solving the real problem), and error rate in first-draft outputs.
I've kept the compliance notes in each use case brief, because I've written a separate companion piece - AI in financial services: what's cleared compliance and what hasn't - that covers the full regulatory picture properly. Go and read that one alongside this.
But a few things apply across all three that are worth stating plainly.
The FCA expects model risk management documentation for any AI application in financial services. That means documenting what the model does, what data it uses, how it was validated, who owns it, and how you'll monitor its performance over time. This isn't bureaucracy for the sake of it - it's the foundation that lets you expand from one use case to three to ten without building governance from scratch each time.
Human oversight requirements are clear and consistent: a qualified person must be accountable for the output. The AI assists. It doesn't decide.
Audit trails matter. If the FCA asks how a particular compliance flag was generated, or how a particular client report was produced, you need to be able to show the working.
And the Consumer Duty is worth reframing here. I've seen too many firms treat it as a barrier to AI adoption - we can't use AI for anything client-facing because of the Consumer Duty. That's backwards. The Consumer Duty requires you to deliver good outcomes for clients. If AI helps you monitor compliance more thoroughly, spot relationship problems earlier, or produce more timely and accurate reports, it's actively supporting your Consumer Duty obligations. The question isn't whether AI is compatible with the Consumer Duty. It's whether your current manual processes are delivering the outcomes the Consumer Duty expects.
Rank these by regulatory risk profile and start at the bottom.
Compliance monitoring is the lowest risk. It's a back-office application with well-established regulatory precedent. Your compliance team will be most comfortable here because the governance requirements are well understood and the human-in-the-loop model is obvious.
Report generation sits in the middle. It's client-facing, which raises the stakes, but the output is reviewed by a professional before it leaves the firm. The governance model is straightforward as long as you design the QA workflow properly.
Communication analysis carries the most complexity because of the data privacy dimensions. Don't start here unless your data governance is already solid.
The real value of starting with compliance monitoring isn't just the monitoring itself - it's the governance infrastructure you build around it. The model risk documentation, the oversight processes, the audit trail habits. All of that transfers directly to your second and third use cases. The firms I've seen do this well treat the first pilot as a governance investment, not just a technology one.
Once these pilots are producing results, the next challenge becomes governing the expansion and making the case to the board for broader AI investment. I've written about that separately - it's a different conversation but one that follows naturally from here.
If you want a structured assessment of which of these three use cases is the best fit for your firm's current compliance posture, data environment, and operational capability - and what a properly scoped pilot design looks like - book an AI opportunity assessment for financial services firms. We've also built a financial services AI use case scorecard - a one-page readiness assessment covering data availability, regulatory posture, technical environment, and governance maturity for each of the three use cases. It takes about ten minutes and it'll tell you where to start.
None of this requires a regulatory waiver. None of it requires a novel governance structure. It just requires the discipline to scope the pilot properly and the honesty to measure whether it works.
The firms that start this quarter will be twelve months ahead of the ones that are still waiting. And that gap only compounds.