What the FCA actually expects from firms using AI.
The Consumer Duty, SMCR and operational resilience lens on AI, translated for SME compliance teams.
Written by Dom Leigh · Former mortgage adviser (7 years) and project manager at National Building Society · PRINCE2®-certified · Last updated May 2026 · 12-minute read
The FCA has chosen not to write an AI rulebook. Instead it has been clear, repeatedly, that AI use sits inside the rules that already exist — the Consumer Duty, SMCR, operational resilience, SYSC. That is good news for SME firms. It means there is no new framework to learn. It also means the FCA expects you to apply the frameworks you already operate to the AI tools you adopt, and to evidence that you have done so.
This guide translates that expectation into the artefacts a UK SME compliance team can actually produce. It assumes you are not a bank, you do not have a 20-person second line, and you want to use AI without ending up in a supervisory conversation you did not plan for.
The FCA's stated position
The FCA's public position through 2025 and into 2026 has been consistent across speeches, the AI Update, the joint Bank of England survey, and the regulator's own messaging to firms: existing rules apply, technology-neutral supervision applies, and the burden is on the firm to show its AI use is consistent with those rules.
We don't need a separate set of rules for AI. The rules we have — the Consumer Duty, the Senior Managers Regime, operational resilience — apply to AI in exactly the same way they apply to every other process inside a firm.
- David Geale, FCA Director of Retail Banking, Treasury Committee, January 2026
That sentence is worth re-reading because it removes a question many SME firms get stuck on. There is no waiting for the FCA to publish AI rules before adopting a tool. There is no carve-out that says smaller firms have a lighter standard. There is just the existing handbook, applied to the new tool.
75%
of UK financial services firms surveyed by the FCA and Bank of England in 2024 reported using AI in some form. The number in 2026 is materially higher. Supervisory expectations are calibrated to that adoption level.
Consumer Duty: the dominant lens
For any AI tool that touches a customer journey — even indirectly — the Consumer Duty is the lens that matters most. PRIN 2A and the four outcomes (products and services, price and value, consumer understanding, consumer support) frame the question the FCA will ask: can you show this AI use supports good outcomes and does not cause foreseeable harm?
What good evidence looks like
The minimum viable evidence pack for a Consumer-Duty-adjacent AI tool is short. A statement of which outcomes the tool affects. A description of the harm scenarios you considered and what you have done to mitigate them. A monitoring plan that captures accuracy, vulnerable-customer indicators, and exception rates. A note of who reviews that monitoring and how often. Board or committee minutes recording the review.
None of this is unique to AI. It is the same evidence pack you would assemble for a new product launch or a material outsourcing arrangement. The mistake firms make is treating AI as a technology project owned by IT and skipping the outcomes layer entirely.
SMCR: someone owns this
The Senior Managers Regime is the FCA's answer to the question of who is accountable when something goes wrong. AI does not change that answer. It just makes it more important to write the answer down before something goes wrong.
Mapping accountability
For each AI tool the firm operates, the AI Use Register should name a single Senior Manager who carries the accountability. For most SMEs the practical map is straightforward: SMF16 (Compliance Oversight) owns compliance-adjacent tools (policy drafting, regulatory horizon scanning, document review). SMF3 or SMF1 owns firm-wide tools or any tool that materially affects customer outcomes. SMF17 (MLRO) owns anything touching financial crime workflows.
The accountable Senior Manager does not have to understand the model architecture. They have to understand what the tool does in the firm, what risks it introduces, what controls are in place, and how those controls are tested. If they cannot articulate that to the regulator, the firm has a problem.
Operational resilience: treat AI as a third party
Almost every AI tool a UK SME firm will adopt is provided by a third party. The model is OpenAI's, or Anthropic's, or Google's. The hosting is AWS or Azure. The application sits on top of those layers. That makes AI use, by default, a third-party operational resilience question.
What the SS1/21 lens looks like for an SME
Identify the important business services the AI tool supports. Set a tolerance for disruption to those services. Map the third parties in the AI supply chain — model vendor, application vendor, hosting provider — and identify the concentration risks. Document what the firm does if the tool is unavailable for a day, a week, longer. Test that plan at least annually.
The proportionate version of this for an SME firm is a one-page document per material AI tool. It does not need to be the same artefact a tier-one bank would produce. It does need to exist and to be reviewed.
Article 22 and the automated-decision boundary
The FCA expects firms to comply with UK GDPR, including Article 22 on solely-automated decision-making. The practical line for SME financial services firms is simple: if a decision has a legal or similarly significant effect on a customer — declining a mortgage, declining cover, restricting access to a product — and that decision is made without meaningful human review, Article 22 applies and the firm needs an explicit lawful basis plus the customer-facing safeguards.
For most SME firms the cleanest answer is to keep a human in the decision. The AI drafts, summarises, screens, prepares. A qualified person reviews and decides. That pattern keeps Article 22 out of scope and keeps the SMCR accountability map clean at the same time.
The supervisory evidence pack
If a supervisor walked into your firm tomorrow and asked to see your AI governance, what would you hand them? The answer for an SME firm operating AI tools proportionately is six documents.
1. The AI Use Register
A single sheet, one row per AI tool. Vendor, purpose, business owner, accountable Senior Manager, customer-impact assessment, date approved, date last reviewed. Treat it like a financial promotions register or an outsourcing register — it is the same kind of artefact.
2. The governance trail
For each material AI tool: the paper that went to the committee or Senior Manager who approved it, the minutes recording the decision, the date for the next review. Six months is a reasonable cadence in 2026 given how fast the underlying tools change.
3. The customer-outcome monitoring
For tools that touch customer journeys: accuracy or error-rate data, vulnerable-customer indicators, complaint rate compared to the non-AI baseline, sample of exceptions reviewed by the second line. The volumes will be small for an SME firm. That is fine. What matters is the data exists and is reviewed.
4. The operational resilience map
The third-party chain for each material AI tool, the impact tolerance for the services it supports, the contingency plan if the tool is unavailable. One page per tool is usually enough.
5. The DPIA where required
Required for tools processing personal data at scale, tools doing automated decision-making, tools handling special category data. The ICO template is the right starting point. The DPIA does not need to be long; it does need to be specific to the tool, not a copy of a generic AI DPIA.
6. The human-review and exception logs
For any tool whose output feeds a customer decision: a log showing the human review happened, who did it, what they changed, what they escalated. This is the single most useful artefact in a supervisory conversation because it evidences the human-in-the-loop pattern in practice rather than in policy.
How this lands in practice
The firms that struggle with FCA expectations on AI are the ones that have skipped the governance layer entirely — bought a tool, rolled it out, treated it as a productivity question. The firms that find this straightforward are the ones that have treated AI adoption as a small extension of the change-control and outcomes-monitoring processes they already run.
The Consumer Duty and SMCR were built to flex. They flex to cover AI without needing to be rewritten. The work is in producing the evidence, not in inventing a new framework.
Build the evidence pack first.
The compliance reference walks through the 10-point checklist, the AI Use Register template, and the governance papers SME firms actually need. Start there before you deploy.
FCA expectations on AI in practice.
No. As of 2026 the FCA has been explicit that it is regulating AI through existing frameworks rather than writing a dedicated AI rulebook. That means the Consumer Duty, SMCR, operational resilience, SYSC and the Senior Management Arrangements, Systems and Controls handbook all apply to AI use exactly as they apply to any other business process.
There is no general pre-approval requirement for adopting AI inside a regulated firm. What the FCA expects is that the decision is documented, that a Senior Manager owns it, that the firm has assessed customer outcome and operational resilience risks, and that the firm can evidence all of that on request. Material changes to how customers are treated may also trigger notifications under Principle 11.
Accountability follows the existing SMCR map. The Senior Manager whose function covers the activity the AI is supporting carries the accountability — usually SMF16 (Compliance Oversight) for compliance-adjacent tools, SMF3 (Executive Director) or SMF1 (Chief Executive) for firm-wide deployments. The firm should document this mapping in its AI Use Register so it is unambiguous when the FCA asks.
The Consumer Duty applies to AI use in the same way it applies to any process that touches a customer outcome. Firms have to be able to evidence that AI use supports the four outcomes — products and services, price and value, consumer understanding, consumer support — and does not foreseeably harm them. In practice that means monitoring AI-assisted journeys for vulnerable-customer signals, accuracy and fairness, and being able to show the board has reviewed that monitoring.
If an AI tool sits inside an important business service the firm has to treat it as part of that service for operational resilience purposes. That means setting an impact tolerance for disruption, mapping the third parties involved (model vendor, API provider, hosting), and testing what happens when the tool is unavailable. SME firms can keep this proportionate but they cannot skip it.
The FCA has not mandated blanket disclosure that AI was used, but firms must not mislead customers about how decisions are made and must comply with UK GDPR Article 22 when decisions have a legal or similarly significant effect. The safer pattern is to disclose AI use in plain language where it would be material to the customer, and always to disclose when asked.
Expect requests for an AI Use Register, the governance trail (who approved it, on what basis, when reviewed), the customer-outcome monitoring data, the operational resilience mapping, the DPIA where one was required, and the human-review and exception logs for any tool that touches customer decisions. None of these are AI-specific documents — they are existing compliance artefacts extended to cover the AI use.
The principal carries the regulatory responsibility. If an AR is using an AI tool the principal has to have visibility of it, approve it through the same governance, and include it in the principal's own AI Use Register. ARs cannot operate AI tools their principal has not signed off on without putting the principal at risk under SUP 12 and the Consumer Duty.