Practical AI and SaaS for Business

AI in UK Financial Services FCA Guidance

The FCA hasn't written a dedicated AI rulebook, and that surprises a lot of firms into assuming AI use isn't specifically regulated. It is, through the FCA's existing rules applied in full to whatever AI touches. This guide explains what the FCA actually expects from a firm using AI in a regulated activity.

Last verified: 17 July 2026. References checked against current legislation.

Editorial Perspective

You're the compliance officer at a 15-person fintech firm, and you're about to roll out an AI tool for credit risk scoring. The problem is there's no single "AI rulebook" from the FCA to check your tool against, which makes it tempting to assume there's nothing specific to worry about. This guide explains exactly what the FCA does expect, using the rules that already apply to your firm. No legal background needed.

This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.

The FCA has deliberately chosen not to write a dedicated AI rulebook, relying instead on its existing rules and principles applying in full to however a firm uses AI. That's a genuine regulatory choice, not a gap, and it means the absence of AI-specific rules doesn't mean an absence of obligation.

In short: The FCA applies its existing framework, Consumer Duty, senior manager accountability, and fair-outcomes requirements, to AI use in full, rather than writing separate AI-specific rules. The FCA's own AI guidance, published December 2024, sets clear expectations around governance, explainability, and testing AI systems for discrimination, with ongoing monitoring for model drift. If your firm uses AI in a regulated activity, these expectations apply now, not once dedicated AI rules eventually arrive.

The plain-English answer

No specific AI licence or separate AI rulebook exists to check your tool against, and that's by design. When AI is used within a regulated activity or customer journey, credit decisions, robo-advice, fraud detection, insurance pricing, the FCA's existing rules and expectations apply to that activity in full, regardless of whether AI or a person is doing the work. The practical question isn't "does AI-specific regulation cover this," it's "does my existing regulatory obligation cover this activity, and does my AI tool actually meet it."

Why this matters for your business

A 15-person fintech firm rolling out an AI credit-scoring tool is in a genuinely common position, and the absence of a dedicated AI rulebook can create a false sense that AI use sits in a regulatory grey area. It doesn't. Consumer Duty, the FCA's outcomes-focused standard requiring firms to act to deliver good outcomes for retail customers, applies to an AI-driven credit decision exactly as it would to a human underwriter's decision. Senior manager accountability rules mean someone at the firm is personally responsible for the AI tool's outcomes, the AI itself isn't a shield from that accountability.

The cost of assuming AI use falls outside existing obligations isn't abstract. A firm that rolls out an AI tool without testing it against the fairness and explainability standards the FCA expects is exposed exactly as it would be for a human process that discriminated or produced unexplainable outcomes, the FCA's principles-based approach doesn't create a lighter standard for AI, it applies the same standard through existing rules.

What the FCA actually expects

The FCA's own position, set out on its AI approach page and AI in financial services page, is that it does not intend to introduce prescriptive AI-specific rules, choosing instead to embed AI oversight within its current conduct and prudential standards. In December 2024, the FCA published AI Guidance for Financial Services Firms, setting out a risk-based framework with clear expectations around governance, explainability, and fair outcomes.

Specifically, the FCA expects firms to test AI systems for discrimination across protected characteristics, with regular backtesting against holdout populations, groups of cases deliberately excluded from the model's training so its performance can be checked against real, unseen outcomes, and ongoing monitoring for model drift, the gradual change in an AI system's behaviour or accuracy over time as real-world data shifts away from what it was originally trained on. The FCA is also actively watching this space closely: it launched a long-term review into AI's effect on retail financial services in January 2026, and its March 2026 perimeter report specifically flagged the growing use of general-purpose AI tools offering financial advice or recommendations that may not fit neatly within existing regulatory boundaries, worth checking if your firm's AI use resembles this pattern.

What this looks like in practice

Picture the compliance officer preparing to launch the AI credit-scoring tool, initially treating the absence of dedicated AI rules as a green light with nothing specific to check. Working through the FCA's actual guidance changes the plan: before launch, the firm sets up discrimination testing across protected characteristics using a holdout population the model never saw during training, establishes a monitoring process to catch model drift over time, and documents which senior manager is accountable for the tool's ongoing performance.

None of this required waiting for AI-specific FCA rules to exist, because the fair-outcomes and governance obligations the FCA expects were already there, in Consumer Duty and existing conduct standards, and the AI guidance simply makes clear how those existing obligations apply to a tool like this one specifically.

What you can do about it

A practical starting point for any AI tool used in a regulated financial activity:

  • Confirm which existing FCA obligation applies to the activity the AI tool performs, Consumer Duty and fair-outcomes requirements almost always do for a customer-facing decision.
  • Test the AI system for discrimination across protected characteristics before launch, using a holdout population, not just the training data.
  • Set up ongoing monitoring for model drift, a one-off test at launch isn't sufficient given AI performance can change over time.
  • Name a specific senior manager accountable for the AI tool's outcomes, matching existing SM&CR governance expectations.
  • Check whether your AI use resembles the general-purpose advice-tool pattern the FCA flagged in its March 2026 perimeter report, and get specific advice if it does.

If the AI tool also makes automated decisions with legal or significant effects on customers, the UK GDPR human review requirement applies on top of these FCA expectations. See our guide on UK GDPR and the right to a human review.

Methodology (Real-World, Verified)

We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Every tool is judged on one question: could a business with no dedicated IT department actually pick this up and use it on Monday morning.

Related reading: our AI governance by region.

Try our free AI Compliance Checker to check whether your AI tools meet your compliance obligations.

Does the FCA plan to introduce AI-specific rules eventually?

The FCA's stated position is that it doesn't intend to introduce prescriptive AI rules, preferring to embed AI oversight within existing conduct and prudential standards. It is actively reviewing the space, including a long-term review launched in January 2026, so this position is worth checking periodically rather than treated as permanently fixed.

What counts as backtesting against a holdout population?

It means testing the AI system's decisions against a set of real cases deliberately excluded from the data used to train the model, so you can check whether its outputs are fair and accurate on genuinely unseen data, not just data it already learned from. This is a standard technique for catching bias or performance issues a model might otherwise hide.

Does this apply to a small fintech firm, or only large regulated banks?

It applies to any firm carrying out a regulated activity, regardless of size. The FCA's principles-based approach scales expectations to the nature and risk of the activity, not the size of the firm, a small firm doing a genuinely lower-risk AI-assisted task has a lighter burden than one making high-stakes credit decisions, but the underlying obligation to meet fair-outcomes standards applies either way.

What is the March 2026 perimeter report warning about specifically?

It flagged the rapid growth of general-purpose AI tools offering financial advice or recommendations in ways that may not fit neatly within the FCA's existing regulatory perimeter, worth attention if your firm is building or using a tool that gives customers financial guidance outside a clearly regulated advice process.

Find official guidance for your region

Requirements vary by jurisdiction. This article provides general information only. Consult your regional authority or a qualified professional for advice specific to your situation.

The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.

Is your AI tool also making automated decisions with legal effects on customers?

Check the human review requirement