- All posts

29 June 2026

If AI influences a customer decision in your firm, the rules just changed

UK law on automated decisions was rewritten in February 2026. What that means for a regulated firm using AI to assess, flag or decide on customers, and where th

If AI influences a customer decision in your firm, the rules just changed

Automated customer decisions just became easier, and harder to defend

Most of what is written about Article 22 still describes a rule that no longer applies.

For years the position was simple to state. Under Article 22 of the UK GDPR, making a decision about someone by purely automated means, where that decision had a legal or similarly significant effect, was restricted, and only allowed where it was necessary for a contract, authorised by law, or based on explicit consent. So when a firm asked whether it could let AI decide on a customer, the honest answer was usually "be very careful, this is mostly not allowed."

That rule was rewritten. The Data (Use and Access) Act 2025 replaced Article 22 with new Articles 22A to 22D, in force from 5 February 2026. For ordinary personal data, the broad default restriction is gone. Significant automated decisions are now permitted as a starting point, provided you put the required safeguards in place. You no longer have to find an exception before you switch the system on.

Here is the part that catches people. The instinct on reading "the restriction has been removed" is to relax. That is the wrong move, and for a regulated firm a costly one. The accountability did not vanish. If anything, the extra room to automate makes your evidence, your controls and your outcome monitoring more important, because the thing protecting you is no longer a prohibition you can point to. It is your own ability to show the decision was fair.

What actually changed, including the part that did not

Two things are worth separating, because firms tend to hear only the first.

The relaxation applies to ordinary personal data. For non-special-category data, significant automated decisions are allowed subject to the safeguards in the new Article 22C: you must give the person information about the decision, let them make representations, let them obtain human intervention, and let them contest the outcome. These are not box-ticks. The expectation is that each one is operational. A privacy notice that mentions a right to human review with no reachable way to use it does not meet the standard.

The tighter rule survives for special category data, and this is the part a finance firm cannot skip. Under Article 22B, significant solely automated decisions based on special category data (health, racial or ethnic origin, religious belief, biometric data and the rest) remain restricted unless you have explicit consent or a specific legal authorisation. The catch is the scope: a decision counts if it is based on special category data entirely or partly. In a regulated firm, that data creeps in more easily than people expect. Health and disability information inside an affordability assessment, vulnerability indicators, anything that touches a protected characteristic, can pull an otherwise ordinary decision into the stricter regime without anyone choosing to put it there.

So the accurate headline is not "automated decisions are now allowed." It is "automated decisions on ordinary data are allowed with safeguards, and the harder rules still apply the moment special category data is in the mix."

Does this even apply to your firm

Often less than you fear, and getting this clear stops you governing things that do not need it and missing the things that do.

The data protection rule only bites when two things are both true. The decision is made solely by automated means, with no meaningful human involvement. And it has a legal or similarly significant effect: declining an application, setting a price, flagging someone in a way that changes what they are offered. A system that simply applies rules a human has already set, accepting or declining a payment by card type for instance, is not making the kind of decision the rule is aimed at.

Most AI in a mortgage, advice or accountancy practice today is decision support, not decision making. The system reads, sorts, drafts, summarises, scores or flags, and a person makes the call. The Bank of England and FCA's 2024 survey of the sector found that while a majority of AI use cases involved some degree of automated decision-making, only 2% of reported use cases were fully autonomous. If a real person genuinely weighs the output and decides, the solely-automated rule is not triggered, and the specific safeguards do not apply, though your general fairness and transparency duties always do.

The honest answer to "can I use AI to help assess affordability or suitability" is therefore yes, and more comfortably than a year ago, provided a human is genuinely in the loop. The trap is what counts as genuinely.

The bit that catches people: meaningful human involvement

A human in the loop only protects you if the involvement is real. The review must be active and capable of changing the outcome. Someone who clicks approve on whatever the system recommends, who never overturns it, who could not explain why a given decision was reached, is not meaningful human involvement. That is a rubber stamp, and it leaves you exactly where you would be if the machine had decided alone: inside the rule, needing to justify it.

This is not a hypothetical risk. When the ICO examined how employers were using AI in recruitment, it found that many described their tools as decision support while, in practice, there was no meaningful human involvement and the tools were producing decisions with significant effects on candidates. The firms believed they were outside the rule. The regulator's view was that they were inside it, without the safeguards the rule requires. The same gap is easy to fall into in a lending or advice process.

The practical test for your firm is uncomfortable but simple. Look at where AI flags, scores or recommends a customer outcome, and ask whether the person who signs it off ever disagrees with the system, and whether they could explain the decision to that customer in plain terms. If the honest answer is no, you do not have human involvement. You have automation with a signature on it.

Data protection is not the only regime watching

Even where the automated-decision rule does not apply, you are not clear, because a second regime sits on top of it and it does not turn on whether the decision was solely automated. It turns on whether AI influenced the outcome at all.

The FCA has been consistent: there is no separate AI rulebook coming, and AI is supervised through the frameworks you already operate under, chiefly the Consumer Duty and the Senior Managers and Certification Regime. The Duty is outcomes-focused and the burden of proof sits with the firm. An AI system that steers customers toward an unsuitable product, or quietly produces worse outcomes for vulnerable customers, is a Consumer Duty problem whether or not a human approved each case, and whether or not the data protection rule was ever engaged. This is the precise point where "solely automated" stops mattering and "influenced the outcome" starts.

Accountability does not move either. The FCA's position is that AI used within a business area falls within the responsibilities of the senior manager who owns that area, and that manager must take reasonable steps to ensure it is effectively controlled. Handing the decision to a model does not change that, and the regulator has been blunt in evidence to the Treasury Committee that "I did not understand it" is not a defence. The fuller picture on what the FCA expects, and the cost of getting it wrong, is the subject of its own guide. The point here is narrower: clearing the data protection bar does not clear you with the FCA, and the two regimes bite at different points.

What this means in practice

If your firm uses AI anywhere near a customer decision, a modest amount of work now puts you in a defensible position:

Map where AI influences outcomes. List every point where a model scores, flags, ranks or recommends something that affects what a customer is offered or charged. You cannot govern what you have not located.

Flag where special category data is involved. Wherever health, vulnerability or any protected characteristic could feed a decision, even partly, treat it as the stricter case and confirm your lawful basis before the system runs, not after.

Make the human involvement real, not nominal. Where a person signs off an AI-influenced decision, make sure they have the information and the authority to disagree, and that they sometimes do. Record how that review works in practice.

Be able to explain the decision. For any AI-influenced outcome, you should be able to tell the customer, in plain language, what happened and why. "The system decided" is not a position you want to defend to the FCA or the ICO.

Carry out a DPIA where the processing is likely to be high risk, and in particular where you use solely automated decisions with legal or similarly significant effects. Keep clear records of your lawful basis and tell customers, in your privacy information, where automated processing is used.

Watch the outcomes, not just the process. The Duty is judged on results. Monitor whether your AI-influenced decisions produce fair outcomes across your customer base, including for vulnerable customers, and act when they do not.

One honest caveat

This is a moving area, and any firm that tells you the position is settled is overselling. The statutory rules are live, but the detail is still being written. The ICO's consultation on its draft automated decision-making guidance closed on 29 May 2026, with final guidance expected later in the year, and a statutory AI and automated decision-making code of practice is due to follow through the legislative process. Separately, the Treasury Committee has recommended that the FCA publish practical guidance by the end of 2026 on how existing consumer protection rules and senior manager accountability apply to AI. Even the meaning of "meaningful human involvement" may be defined further by secondary legislation that has not yet been made.

That uncertainty is the argument for getting your governance right now rather than waiting. The firms that will struggle are not the ones that adopted AI. They are the ones that adopted it without being able to show, on the day a regulator asks, where it influences decisions and how they know those decisions are fair. That evidence is built before you need it, not after.

If you want to know where AI sits in your firm's decisions and where the exposure actually is, the AI Compliance Checklist walks through it for a UK regulated firm. It is the same diagnostic I use on the first day of an engagement.

- Back to all posts