AI does not get a regulatory holiday
The Financial Conduct Authority’s Consumer Duty has been in force since 31 July 2023 for open products and services, and since 31 July 2024 for closed ones. It sits near the top of the FCA rulebook as Principle 12, expanded in the PRIN 2A sourcebook, and it quietly changed the question a regulated firm has to answer. The old question was “did we follow the rules?” The new one is “did we deliver good outcomes for retail customers?” That is a higher and less forgiving bar, and it reaches into how you design, price, explain and support every product you sell.
Here is the part a lot of finance-adjacent firms miss. The Duty is technology-neutral. If you use an AI model to decide who gets credit, what a policy costs, which customers get chased in arrears, or what a chatbot tells someone at 11pm, the Duty applies to that decision exactly as it would to a human making it. The FCA has been consistent that it does not plan a separate AI rulebook. It expects your existing obligations, the Consumer Duty, the Senior Managers and Certification Regime (SM&CR), the SYSC systems-and-controls rules and operational resilience, to already cover AI. Put bluntly: “the model did it” is not a defence.
This is general information, not legal or compliance advice. Regulatory dates, thresholds and guidance move, and some of the dates below are forward-looking, so confirm the current position with the FCA Handbook and your own compliance function before acting.
The four outcomes, and where AI sits in each
Underneath Principle 12, PRIN 2A sets out three cross-cutting obligations (act in good faith, avoid foreseeable harm, and enable customers to pursue their financial objectives) and four outcomes you have to evidence. Every AI system you deploy touches at least one of them.
- Products and services (PRIN 2A.3). Products must be designed for a defined target market and distributed appropriately. If an AI model is doing your segmentation or eligibility screening, it is now shaping your target market. A model that silently excludes a protected group, or steers a product to people it does not suit, is a products-and-services failure.
- Price and value (PRIN 2A.4). The price a customer pays must bear a reasonable relationship to the benefit they receive. AI-driven or personalised pricing is squarely in scope. Price optimisation that charges more to the people least likely to shop around is the textbook example of what the FCA is watching for.
- Consumer understanding (PRIN 2A.5). Communications must equip customers to make informed decisions. A generative chatbot that answers imprecisely, or a summary that buries a material term, undermines understanding at scale.
- Consumer support (PRIN 2A.6). Customers must be able to get help without unreasonable barriers. An AI support layer that traps vulnerable customers in a loop, or makes cancelling harder than buying, is a support failure even if it cuts your cost to serve.
The through-line is that AI does not create a new set of obligations. It gives you faster, cheaper and less visible ways to hit or miss the ones you already have.
Where AI genuinely helps you meet the Duty
It would be dishonest to frame AI as pure regulatory risk. Used well, it is one of the better tools you have for actually delivering the Duty, and the FCA’s own posture (running an AI Lab, a Supercharged Sandbox and AI Live Testing) signals it wants firms to innovate, not freeze.
Consistency. A human underwriter has good days and bad days. A well-governed model applies the same logic to every applicant, which makes fair, repeatable treatment easier to demonstrate than a room full of individual judgements.
Audit trails. Every automated decision can be logged with its inputs and rationale. That is gold for a Duty that expects you to evidence outcomes rather than assert them. A human decision is often reconstructed from memory. A machine decision can be replayed.
Vulnerable-customer detection. Language and behavioural models can flag signals of vulnerability (sudden changes in payment behaviour, distress markers in a support chat, hardship keywords) far earlier than manual review, so a human can step in while it still matters.
Faster, more available support. An assistant that answers accurately at midnight can remove genuine barriers, which is exactly what the consumer-support outcome asks for. When we helped build the live AI assistant on mdlondon, the point was not to replace people. It was to make good answers available at the moment the customer needed them, with the tricky cases routed to a human.
Where AI creates new ways to fail
The same properties that make AI useful make its failures dangerous, because they scale.
Opaque decisions. If your model cannot tell you why it declined an application, you cannot evidence a good outcome, and you cannot give the customer a real explanation. Opacity is not a technical inconvenience under the Duty. It is a compliance gap.
Bias. A model trained on historical lending data will happily learn historical discrimination and present it as objectivity. Without deliberate testing across protected and vulnerable groups, you can produce systematically unfair pricing or access and never notice, because the average outcome looks fine.
Hallucinated advice. A generative assistant that invents a term, misstates a rate, or drifts into something that looks like regulated advice can breach the consumer-understanding outcome one confident sentence at a time. Fluency is not accuracy.
Unfair outcomes at scale. A single human error harms one customer. A single mis-specified model harms everyone it touches, instantly, until someone catches it. That asymmetry is the core reason the Duty and AI need to be managed together rather than separately.
What “unfair outcomes at scale” actually looks like
The clearest recent warning did not involve AI at all, which is exactly why it should worry anyone automating decisions. The motor finance commission scandal, culminating in the Supreme Court judgment in Johnson v FirstRand and the linked Hopcraft and Wrench cases on 1 August 2025, exposed years of undisclosed and discretionary commission arrangements where brokers could raise a customer’s interest rate to earn more.
The FCA has since confirmed a redress scheme (PS26/3) covering agreements written between 6 April 2007 and 1 November 2024. Its modelling suggests around 14.2 million agreements may be affected, roughly 44% of car finance agreements since 2007, with an average payout near £700, total consumer redress around £8.2bn and a total scheme cost in the region of £11bn.
None of that was caused by a language model. It was caused by an incentive structure that produced systematically unfair outcomes across millions of customers while each individual transaction looked routine. Now imagine that same dynamic encoded in a pricing model that quietly runs every quote. AI does not invent this failure mode. It industrialises it. For anyone in lending, broking, motor and vehicle finance or insurance, that is the scenario the Duty exists to prevent, and it is the scenario your AI governance has to be designed around.
The regulator’s position: principles, not a new rulebook
It helps to be precise about what the FCA is and is not doing, because the internet is full of confident claims about “AI regulation” that do not match the UK financial-services reality.
The FCA’s approach is technology-neutral, principles-based and outcomes-focused. It has said it does not intend to introduce prescriptive AI rules. Instead it expects AI to be governed through the frameworks you already run: the Consumer Duty, SM&CR, SYSC and operational resilience. Crucially, SM&CR attaches individual accountability to named senior managers, and that includes AI systems. You cannot outsource responsibility for an outcome to a vendor or a model.
The guidance is still being built out, so treat the following as a moving picture. The FCA and the Information Commissioner’s Office were expected to publish joint guidance in early 2026 on balancing vulnerable-customer support, data sharing and data-protection law. The Treasury Committee has asked the FCA to publish comprehensive AI guidance by the end of 2026, and an FCA review of AI in retail financial services is due to report to its Board in summer 2026. On the practical side, the FCA opened AI Live Testing and announced its second cohort of eight firms on 21 April 2026, covering use cases from agentic payments to anti-money-laundering and KYC. If your use case is genuinely novel, that testing route is worth knowing about. Check all of these dates against the FCA’s current publications, because they are exactly the kind of thing that slips.
Explainability and human oversight of automated decisions
Two disciplines separate defensible AI from a future enforcement case, and both are engineering problems as much as policy ones.
Explainability. For any decision that materially affects a customer, you should be able to state, in plain language, the main factors behind it. That does not always mean a fully interpretable model. It means you can produce a truthful, customer-facing reason and an internal, auditable rationale. If a model is so opaque that neither is possible, it is the wrong model for a regulated decision, however good its accuracy looks.
Human oversight. Automation should not mean abdication. High-impact decisions (declines, price increases, arrears actions, anything affecting a customer you suspect is vulnerable) need a human in or on the loop, with real authority to override and a record when they do. This is the design pattern we build into our own systems. The prospecting engine we run puts an adversarial verifier, effectively a second model whose only job is to challenge the first, in front of anything before it is auto-sent. The principle transfers directly: never let a single model’s output reach a customer without an independent check, whether that check is another model, a rules gate, or a person. If you are going to trust a machine with an outcome, make it earn that trust every time, not once at launch.
Monitoring outcomes and keeping records
The Duty is not a launch-day certificate. It is a continuous obligation, and AI raises the monitoring bar because models drift, data shifts, and yesterday’s fair system becomes today’s biased one without anyone touching the code.
Monitor outcomes, not just accuracy. Break your results down by customer segment, including vulnerability indicators, and watch for divergence: are certain groups declined more, priced higher, or supported worse? Set thresholds that trigger review before harm compounds. And keep records you could hand a regulator tomorrow: model documentation, data lineage, decision logs with reasons, human-review and override records, and a change log for every model update.
That last point rests on unglamorous data engineering. You cannot monitor or reconstruct outcomes if your data lives in an unmanageable sprawl. When we helped a client retire a 779-column legacy system, the real prize was not a tidier database. It was decisions that could finally be traced, explained and trusted. Good AI governance sits on top of clean, well-modelled data. Skip that foundation and every explainability and monitoring promise above becomes theatre.
A practical checklist for compliant AI adoption
If you are a compliance-minded operator bringing AI into a regulated workflow, work through this before you deploy, not after.
- Map the decision to an outcome. For each AI use case, name which of the four outcomes it affects and how you will evidence a good result.
- Assign a senior manager. Under SM&CR, put a named individual on the hook for that outcome. If nobody owns it, do not ship it.
- Test for bias and vulnerability impact. Run the model across protected and vulnerable segments before launch, and define the thresholds that will pause it later.
- Guarantee explainability. Confirm you can give both a customer-facing reason and an internal rationale for any material decision.
- Design the human checkpoint. Decide which decisions get independent review (human or a verifier model) and give reviewers genuine override power.
- Instrument outcome monitoring. Log inputs, decisions and reasons, segment your monitoring, and set alerts on drift and disparity.
- Lock down record-keeping. Ensure you can reconstruct any decision months later, including which model version made it.
- Have a kill switch and a rollback. Know exactly how you pause the system and revert to a safe state if monitoring flags harm.
- Review against the current rules. Re-check the FCA’s latest AI and Consumer Duty publications on a set cadence, because the guidance is still being written.
Adopting AI in a regulated sector is not a reason to be timid, and the firms that get this right will serve customers better and cheaper than those still doing everything by hand. The trap is treating AI as a shortcut around judgement rather than a way to apply good judgement consistently, visibly, and at scale. Build it so every automated outcome can be explained, overseen and evidenced, and the Duty stops being a threat and starts being the standard your competitors cannot match.