The FCA and Consumer Duty
The Financial Conduct Authority's Consumer Duty, which came into full force in July 2023, is the most consequential AI governance development for UK financial services firms in recent years. Its four outcome requirements — products and services, price and value, consumer understanding, and consumer support — create a framework that reaches AI systems across the customer lifecycle without explicitly naming AI. An AI pricing system that charges loyal customers significantly more than new customers may fail the price and value outcome. An AI communication system generating product information that customers cannot understand may fail the consumer understanding outcome. An AI-driven customer service system that fails to provide accessible support to vulnerable customers may fail the consumer support outcome.
The FCA has been explicit that Consumer Duty applies to AI. Its supervisory expectations include that firms understand how their AI systems affect customer outcomes, monitor those outcomes regularly, and take action when outcomes are poor. The Duty's proportionality principle — that firms must take reasonable steps relative to their size and resources — means that smaller firms have some flexibility in implementation, but not in the obligation to understand and manage AI's impact on customer outcomes.
PRA model risk management: SS1/23
The Prudential Regulation Authority's Supervisory Statement SS1/23 on model risk management applies to UK-incorporated banks, building societies, and PRA-designated investment firms with internal model approval for regulatory capital (it does not apply to insurers). The statement explicitly addresses AI and machine learning models and establishes that the core model risk management requirements — model definition, ownership, validation, use, and control — apply to AI models as they do to traditional statistical models, with appropriate adaptations for AI-specific characteristics.
The key SS1/23 requirements for AI: firms must maintain a model inventory that includes AI systems used in material decisions. Models must be developed with appropriate documentation. Independent validation must be conducted before deployment and after significant changes. Performance must be monitored in production. Model risk must be reflected in the firm's risk appetite framework. And there must be clear accountability — a named model owner — for each material model. The challenge of applying SS1/23 to AI models is the explainability gap: traditional validation methodology assumes models that can be fully understood and mathematically validated. AI models cannot always be validated in this way, and the PRA expects firms to adapt their validation methodology accordingly — documenting the limitations and uncertainty in AI model validation and applying additional safeguards where validation methodology is constrained.
Bank of England: financial stability and AI
The Bank of England's focus on AI is primarily through its financial stability mandate — the risk that widespread AI adoption in financial services creates correlated behaviours that amplify systemic risk. If many financial institutions use similar AI models for trading, credit, or risk management decisions, those models may respond similarly to market events — amplifying volatility rather than diversifying it. The Bank's supervision of this risk manifests through its stress testing programmes (which increasingly include AI-related scenarios), its oversight of financial market infrastructure, and its participation in international AI governance discussions through the FSB and BIS.
