What AI Governance Framework Does the FCA Expect From Regulated Firms?

This article is for informational purposes only and does not constitute financial or legal advice. You should consult with a qualified professional before making any decisions about the use of AI in your firm.

---

What AI Governance Framework Does the FCA Expect From Regulated Firms?

The FCA has not issued a specific, standalone AI rulebook. Do not let that fool you into a false sense of security. The regulator has been explicitly clear: your existing obligations under the SM&CR, the Consumer Duty, and SYSC are more than sufficient to hold you to account for your use of AI. The expectation is not that you wait for new rules, but that you apply the current ones.

Firms often ask me what the FCA wants to see when it comes to AI governance. They are looking for a checklist, a set of prescriptive rules. That is the wrong way to think about it. The FCA is a principles-based regulator. It is not going to tell you how to build your AI governance framework. It is going to tell you what it expects that framework to achieve.

And what it expects is simple: that you can demonstrate you are in control of the risks and that you are delivering good outcomes for consumers.

The Building Blocks of an FCA-Ready AI Governance Framework

While the FCA will not give you a blueprint, its publications, speeches, and enforcement actions have given us a very clear picture of what a good AI governance framework looks like. It is built on the following pillars:

Pillar	FCA Expectation
1. Clear Accountability	The FCA expects to see clear lines of responsibility for AI, right up to the board and senior management. Your governance map must explicitly show who is responsible for the firm's overall AI strategy and for the use of AI in specific business areas. This is a direct application of the SM&CR.
2. Robust Risk Management	The FCA expects you to have a comprehensive and continuous process for identifying, assessing, managing, and mitigating the risks of AI. This is not just about technology risk; it is about conduct risk, consumer harm risk, and market integrity risk. This aligns with the risk control requirements in SYSC 7.
3. Effective Human Oversight	The FCA expects you to have meaningful human oversight of your AI systems. This means having qualified individuals who can understand, challenge, and intervene in the decisions made by your AI. The more significant the decision, the more robust the human oversight needs to be.
4. Rigorous Data Governance	The FCA expects you to have strong governance over the data you use to train, validate, and test your AI models. This is about ensuring the data is accurate, relevant, and, crucially, that it does not perpetuate or amplify bias.
5. Third-Party Vendor Management	The FCA expects you to have a rigorous due diligence process for any third-party AI vendors. You cannot outsource your regulatory responsibilities. You need to understand your vendors' models, their data, their security, and their ethical frameworks.
6. Transparency and Explainability	The FCA expects you to be able to explain how your AI systems work, both to your customers and to the regulator. If you are using a "black box" model, you need to be able to explain the safeguards you have put in place to protect against negative outcomes. This is a core tenet of the Consumer Duty's consumer understanding outcome.

The Pro-Innovation Façade

The UK government has positioned itself as "pro-innovation" on AI, choosing not to legislate immediately. This has led some firms to believe they have a free pass. This is a dangerous misreading of the situation.

The FCA is pro-innovation, but it is not pro-recklessness. It has a statutory duty to protect consumers and ensure market integrity. It will use the significant powers it already has to intervene where it sees harm.

The FCA's AI Live Testing service and its supercharged sandbox are not a sign of a light-touch approach. They are a sign that the regulator wants to understand the technology so that it can supervise it more effectively.

The Bottom Line: It is About Demonstrating Control

When the FCA comes knocking, they will not be asking to see your "AI Policy." They will be asking you to demonstrate how you are meeting your existing regulatory obligations in the context of AI.

They will ask you:

• "Show us how your board is overseeing the risks of AI."
• "Show us your risk assessment for your algorithmic pricing model."
• "Show us how you are ensuring your AI-powered chatbot is not misleading vulnerable customers."
• "Show us the due diligence you conducted on your AI vendor."

Your AI governance framework is your answer to those questions. It is the evidence that you are in control, that you are taking your obligations seriously, and that you are not just hoping for the best.

If you do not have that evidence, you are not just failing to meet the FCA's expectations; you are failing to meet your basic duty as a regulated firm.

---

Take the Next Step

If you are ready to move from theory to action, I can help. My AI Audit gives you a comprehensive assessment of your firm's AI readiness, identifying the gaps in your governance, the risks in your current tooling, and a clear roadmap to get you where you need to be.

Book a Discovery Call → or learn more about the AI Audit.