The Regulatory Philosophy
The Financial Conduct Authority (FCA) has made its position on AI regulation clear: no new AI-specific rules. Instead, existing principles and outcomes-based regulation will apply to AI as they apply to any other technology or process.
For financial services SMEs, this is both good news and a challenge. Good because you don't need to master a new regulatory framework. Challenging because "it depends on the outcomes" requires more judgment than a simple rulebook.
What the FCA Has Said
AI Update (December 2024)
The FCA's most recent AI guidance reaffirms:
Technology Neutrality: "We don't regulate specific technologies—we regulate the activities and outcomes they enable."
Proportionality: "Our approach is proportionate. SMEs using AI for basic automation face different expectations than large firms building complex algorithmic decision-making."
Consumer Protection: "Consumer Duty applies to AI-assisted services just as it applies to human-delivered services. Good outcomes for customers are what matter."
Senior Manager Accountability: "Senior managers remain accountable for activities conducted through AI systems, just as they're accountable for any other operational activity."
Implications for SMEs
What This Means:
- No separate "AI compliance" regime to learn
- Apply existing compliance frameworks to AI use
- Focus on outcomes, not technology
- Proportionality works in SMEs' favour
The FCA's approach is sensible: don't regulate technology, regulate what the technology does. But it requires firms to think through implications rather than follow a checklist.
Consumer Duty and AI
The Consumer Duty provides the main framework for thinking about AI in customer-facing applications.
The Four Outcomes
1. Products and Services:
- Must meet customers' needs
- AI-recommended products must be appropriate
- AI-designed products must deliver fair value
2. Price and Value:
- AI shouldn't enable poor value extraction
- Dynamic pricing must be fair
- Efficiency gains should benefit customers too
3. Consumer Understanding:
- AI communications must be clear
- Customers should understand AI-influenced decisions
- Complexity shouldn't be used to confuse
4. Consumer Support:
- AI support must actually help
- Human escalation must be available
- AI limitations acknowledged and managed
Practical Application
| AI Application | Consumer Duty Consideration |
|---|---|
| Robo-advice | Does it result in suitable recommendations? |
| Chatbot support | Does it resolve issues or frustrate customers? |
| Credit decisions | Are outcomes fair and explainable? |
| Marketing personalisation | Is it helpful or manipulative? |
| Fraud detection | Are false positives handled fairly? |
Compliance Through Outcomes
The Assessment Framework
For any AI application, ask:
1. What's the intended outcome?
- Be specific about what the AI should achieve
- Define success in customer terms, not technical terms
2. What could go wrong?
- Technical failures
- Biased outcomes
- Consumer harm scenarios
- Misuse possibilities
3. How will you know if it's working?
- Monitoring mechanisms
- Customer feedback loops
- Outcome measurement
- Audit capability
4. What controls are appropriate?
- Proportionate to risk
- Matched to firm's size and complexity
- Documented and followed
- Reviewed periodically
Documentation Expectations
The FCA expects you to be able to explain:
- What AI you use and why
- How it affects customers
- What controls are in place
- How you monitor outcomes
- Who is accountable
You don't need extensive documentation for low-risk applications, but you should be able to articulate your thinking.
The test isn't "do you have perfect documentation?" It's "can you demonstrate you've thought through the implications and put sensible controls in place?"
Specific Application Areas
Automated Advice
FCA Focus:
- Suitability of recommendations
- Quality of fact-finding
- Appropriate risk assessment
- Clear limitations disclosure
SME Approach:
- Use established platforms with regulatory track record
- Supplement with human oversight for complex cases
- Monitor recommendation patterns for bias
- Maintain records of advice rationale
Customer Communications
FCA Focus:
- Clarity and accuracy
- Fairness in presentation
- Appropriate targeting
- No misleading implications
SME Approach:
- Human review of AI-generated communications before use
- Templates approved for common scenarios
- Personalisation that helps, not manipulates
- Clear opt-out mechanisms
Credit and Underwriting
FCA Focus:
- Fair decision-making
- Explainability of decisions
- Bias detection and mitigation
- Consumer redress mechanisms
SME Approach:
- Understand how AI models work (at principle level)
- Monitor for unexpected patterns
- Human review of declined applications
- Clear explanation available to customers
Fraud and Financial Crime
FCA Focus:
- Effectiveness of detection
- False positive management
- Customer communication about alerts
- Balance of security and service
SME Approach:
- Use established AML/fraud solutions
- Define appropriate thresholds
- Process for customer communication
- Regular effectiveness review
Proportionality for SMEs
The FCA recognises that small firms face different circumstances:
What Proportionality Means
For Large Firms:
- Dedicated AI governance teams
- Extensive model validation
- Detailed documentation
- Formal oversight committees
For SMEs:
- Senior manager ownership
- Sensible controls
- Adequate documentation
- Periodic review
SME-Appropriate Controls
| Risk Level | Example Use | Appropriate Controls |
|---|---|---|
| Low | Document automation | Basic review process |
| Medium | Customer chatbot | Human escalation, satisfaction monitoring |
| Higher | Credit scoring input | Understanding of model, monitoring, human override |
Proportionality isn't an excuse for no controls. It means controls should fit the risk and the firm's size. Small firm with high-risk AI use still needs robust controls.
Third-Party AI
Many SMEs use AI through third-party providers. The FCA is clear: you remain responsible.
Due Diligence Requirements
Before Adoption:
- Understand what the AI does
- Assess the provider's compliance position
- Review contractual terms
- Consider concentration risk
Ongoing:
- Monitor provider performance
- Stay aware of changes
- Review periodically
- Have exit options
Questions for Providers
- How does the AI work (principle level)?
- What controls do you have?
- How do you handle bias and fairness?
- What monitoring and reporting is available?
- What happens if something goes wrong?
Staying Current
The regulatory landscape will evolve:
Monitor
- FCA publications and speeches
- Industry association guidance
- Peer practice evolution
- Enforcement actions and outcomes
Adapt
- Review AI use periodically
- Update controls as expectations evolve
- Learn from industry incidents
- Engage with regulatory developments
Engage
- Respond to FCA consultations
- Participate through industry bodies
- Share experiences appropriately
- Seek guidance when uncertain
The Bottom Line
The FCA's principles-based approach puts responsibility on firms to think through AI implications rather than follow a rulebook. For SMEs, this means:
- Apply existing compliance frameworks to AI
- Focus on customer outcomes
- Implement proportionate controls
- Document your thinking
- Monitor and adapt
The absence of AI-specific rules is a feature, not a bug. It means you can adopt AI sensibly without regulatory permission—as long as you do so responsibly.
Need help thinking through AI compliance for your financial services firm? We help SMEs implement AI with appropriate governance and regulatory awareness.
Book a consultation to discuss your specific situation.
