Key Takeaways:
No AI rulebook does not mean no supervision. The FCA does not intend to introduce AI-specific rules, but regulated firms are expected to manage AI through existing frameworks.
Cyber resilience is now an AI governance issue. Frontier AI amplifies cyber threats in speed, scale and cost, making resilience and response planning central to AI governance.
Evidence and accountability matter. As the FCA develops its good – and poor – practice guidance, firms should be able to evidence how AI governance operates in practice.
On 14 May 2026, the UK Financial Conduct Authority (the “FCA”) announced the reopening of its artificial intelligence (“AI”) consultation platform (the “AI Input Zone”), inviting feedback on what “good” looks like in relation to safe and responsible AI development and deployment. The following day, the Bank of England (the “BoE”), the FCA and HM Treasury issued a joint statement urging regulated financial firms to strengthen their cyber resilience against the emerging threats posed by frontier AI models (the “Joint Statement”).
These two announcements in the space of 48 hours highlight a shift in the FCA’s approach to AI, from theoretical frameworks to tangible operational expectations, and its principles-based regime is now being translated into practical supervisory expectations around accountability, operational resilience, third-party risk and evidence of effective implementation. This alert examines the implications of these developments for regulated firms and outlines what they mean in practice.
The FCA’s Direction of Travel
The UK has not adopted AI-specific legislation comparable to the EU AI Act. Instead, it favours a principles-based, sector-led approach. The FCA has consistently stated that it does not intend to introduce AI-specific rules, and expects firms to manage AI risks through existing frameworks, including the Consumer Duty, the Senior Managers and Certification Regime (the “SM&CR”), governance and controls expectations and operational resilience requirements.
This position has faced scrutiny. In January 2026, the House of Commons Treasury Committee criticised the FCA, BoE and HM Treasury for what it described as a “wait-and-see” approach to AI risks in financial services, concluding that the regulators were “not doing enough” and were exposing consumers and the financial system to potentially serious harm. The Committee recommended that the FCA publish, by the end of 2026, comprehensive practical guidance on existing consumer protection rules and the level of accountability and assurance expected under the SM&CR for AI-related harm.
The FCA’s response has been incremental. In January 2026, it launched the Mills Review, led by Executive Director Sheldon Mills, to examine how advanced AI may reshape retail financial markets, consumers, firms and regulation by 2030 and beyond. Mills’s recommendations are expected to be delivered in summer 2026. Separately, the FCA continues to build its evidence base through its innovation and engagement platform for AI in financial services (the “AI Lab”).
A key aspect of the AI Lab is the AI Input Zone, an online survey through which the FCA is gathering views from market participants on examples of good and poor practice in AI deployment. The responses will directly inform a publication later in 2026 that is expected to serve as the FCA’s practical benchmark for supervisory engagement on AI. The FCA’s identification of “good practice” is likely to influence the questions supervisors ask, even in the absence of detailed rules. In practice, non-binding good and poor practice guidance is likely to become an important reference point for legal and compliance teams at regulated firms, as well as their boards of directors and internal assurance functions.
Frontier AI and Cyber Resilience
The Joint Statement published on 15 May 2026 addresses the cybersecurity implications of frontier AI. Its central message is that the cyber capabilities of current frontier AI models already exceed what a skilled hacker could achieve, at higher speed, greater scale and lower cost. If – or, more realistically, when – used maliciously, those capabilities amplify cyber threats to firms’ safety and soundness, customers, market integrity and financial stability.
The Joint Statement identifies five areas where firms should take active steps:
Governance and strategy. Boards and senior management should have sufficient understanding of frontier AI risks, and investment decisions should reflect the emerging threat.
Vulnerability management. Firms should triage, prioritise and remediate vulnerabilities more quickly, more frequently and at greater scale.
Third-party risk. Firms should manage frontier AI cyber risks arising from third parties and supply chains, including open-source software.
Protection. Access management, network security and data protection should reduce attack surfaces. Firms should consider AI-enabled defences to operate at the speed of AI-driven attacks.
Response and recovery. Firms should be able to respond and recover rapidly, drawing on the effective cyber resilience practices published in October 2025.
The Joint Statement is not intended to introduce new expectations, but to bring together and reinforce existing messages. The framework also provides a structured basis for assessing firms’ preparedness and makes clear that cyber resilience should no longer be treated as separate from AI governance, given that frontier AI changes the threat environment in which existing operational resilience, outsourcing and governance expectations apply.
This is particularly relevant for buy-side firms. The FCA’s March 2026 Wholesale Buy-Side Regulatory Priorities report highlighted that buy-side firms rely heavily on third-party providers to deliver important business services, creating dependencies and potential concentration risks. Data from the National Cyber Security Centre identified 204 nationally significant cyber attacks in the 12 months to September 2025, up from 89 in the previous year, underscoring the importance of proactive resilience planning.
FCA/ICO Coordination and the Data Protection Overlay
One of the most significant developments in the past 18 months has been the move toward closer coordination between the FCA and the Information Commissioner’s Office (“ICO”), particularly through the Digital Regulation Cooperation Forum (“DRCF”). The DRCF, which also includes the Competition and Markets Authority and Ofcom, has committed to develop a collective understanding of how multiple regulatory regimes apply to AI, including agentic AI systems.
For financial services firms, this means that AI governance and data protection compliance cannot be approached in isolation. A joint FCA and ICO blog in June 2025 highlighted that firms are concerned about responsibility and accountability when third-party AI tools make automated decisions that affect customers. Under the SM&CR, this uncertainty has caused some firms to hold back from deploying such tools.
The ICO is separately preparing a statutory code of practice for organisations that develop or deploy AI and automated decision-making. Although this is an ICO-led initiative rather than a joint FCA and ICO product, the regulators have indicated that they will continue to coordinate on overlapping issues, including who decides why and how personal data is used across the generative AI supply chain, and how data protection law applies to automated decisions involving personal data. Accordingly, regulated firms should expect supervisory enquiries that address both financial regulation and data protection. For AI use cases involving personal data, firms should align FCA-facing governance and SM&CR accountability with their data protection obligations, including data protection impact assessments (“DPIAs”), transparency requirements and safeguards for automated decision making (such as human review).
Practical Steps for Firms
Firms should focus not only on whether they have AI governance arrangements, but whether they can evidence that those arrangements operate effectively in practice. The FCA’s direction of travel suggests that supervisory attention will focus on how firms apply existing frameworks to concrete AI use cases.
Create a live AI inventory and ownership map. Maintain an up-to-date inventory of where and how AI is being used, who is accountable, whether it supports an important business service, and whether it is developed internally or supplied by a third party.
Brief boards and senior managers with decision-useful information. The Joint Statement is clear that boards should have sufficient understanding of frontier AI risks. Senior managers under the SM&CR should be clear on their responsibilities in relation to AI-driven outcomes, and board reporting should cover material AI use cases, model performance, customer impact, third-party dependencies, cyber risks, incidents and remediation.
Embed AI into operational resilience mapping and testing. Map AI risks into existing operational resilience self-assessments, business continuity planning and important business service mapping, including scenarios involving AI-enabled cyber attacks, supplier outages, data compromise, model failure or loss of access to critical AI tools.
Strengthen third-party and supply chain controls. With about one third of AI use cases in financial services involving third-party implementations, firms should ensure that due diligence, ongoing monitoring and contingency planning are proportionate to their dependency on such services. Key areas include contractual rights, incident notification, auditability, subcontracting controls, open-source software exposure and exit planning.
Prepare a supervisory evidence pack. Firms should be ready to evidence their AI inventory, governance approvals, SM&CR allocation, board and committee minutes, risk assessments, DPIAs, third-party assessments, model testing, resilience mapping, incident playbooks, escalation routes and remediation logs.
The FCA’s approach remains principles-based, but the Mills Review, the forthcoming AI good and poor practice publication, and the continuing focus on critical third parties and cyber resilience will add further colour to what firms must be able to evidence. For firms managing AI in regulated financial services, the message is clear: governance should not wait for a standalone AI rulebook.
Lily Kalati, Paralegal, also contributed to this article.
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.