Adopting AI in UK financial services: what is safe to deploy

In UK financial services, the question is rarely whether AI works. It is whether you can deploy it without breaching the Consumer Duty, sidestepping SS1/23 model risk expectations, or putting a senior manager on the hook for a decision nobody can explain. The honest answer is that most internal AI is safe to start now, and most customer-facing autonomous AI is not, until you have built the controls first.

This guide is for the COO, CRO, or head of compliance at a regulated firm who wants to adopt AI without learning the rules the expensive way. It covers what the FCA and PRA actually expect, how the Consumer Duty bites on AI, where SS1/23 applies, what explainability means in practice, and a controls table mapping common use cases to the risk and the control that makes each one deployable.

Last updated 29 May 2026.

One honesty note up front. OpenKit is a UK AI and software consultancy, not an FCA-authorised firm and not a regulator. We help financial firms design and deploy AI in line with FCA, Consumer Duty, and PRA expectations, working alongside your compliance function and your authorised advisers. We hold ISO 27001, ISO 9001, and Cyber Essentials and are GDPR compliant. We are not certified to ISO 42001 or SOC 2, and nothing here is regulatory or legal advice.

What does the FCA expect from firms using AI?

The FCA has not written a separate AI rulebook, and that is the point most firms get wrong. Its position is technology-neutral: AI is governed by the rules you already follow, including the Senior Managers and Certification Regime, the Consumer Duty, operational resilience, and existing model and outsourcing expectations.[1] There is no grace period for a regime that already applies.

In practice this means a named senior manager owns the outcomes of any material AI system under SM&CR, the same way they own any other business decision. The FCA and Bank of England have run a joint AI Public-Private Forum and periodic surveys of AI use in the sector, and the consistent signal is governance, accountability, and data quality rather than a ban on the technology itself.[2] So the safe reading is that the regulator expects you to apply your existing control framework to AI with the same rigour you apply to any process that affects customers or capital.

How does the Consumer Duty apply to AI tools?

The Consumer Duty applies to any AI that touches a retail customer outcome, and it sets a higher bar than “the model is accurate.” Under the Duty you must act to deliver good outcomes, avoid foreseeable harm, and support customers in pursuing their financial objectives, which means an AI tool has to be judged by what it does to the customer, not by its technical metrics.[3]

That has three concrete consequences for deployment. A pricing or eligibility model that produces different outcomes for similar customers is a fair value and foreseeable harm problem the moment you cannot justify the difference. A chatbot that nudges a customer toward a worse product because the model optimises for conversion is the kind of behavioural exploitation the Duty’s “consumer understanding” and “consumer support” outcomes are written to catch. And any decision a customer can challenge has to be one you can explain in plain language, which rules out a black box you bolted on because it scored well in testing.

Does SS1/23 model risk management apply to AI models?

Yes, where your firm is in scope. The PRA’s supervisory statement SS1/23 on model risk management principles took effect on 17 May 2024, and it explicitly treats AI and machine learning techniques as models within its definition.[4] If you have read it as a capital-models document, re-read it: it reaches far wider than that.

SS1/23 is built on five principles covering model identification and a model tier rating, governance, development and implementation, validation, and the use of vendor and third-party models.[4] For an AI programme that translates into a short list of obligations you can plan against.

• A model inventory. Every AI model, including third-party and vendor tools, recorded with its purpose, owner, and materiality tier.
• Independent validation. Someone other than the people who built or bought the model checks it is fit for purpose before use and on an ongoing basis.
• Tiering by materiality. A summarisation aide and a credit-decision model do not need the same scrutiny, and the tier sets how much validation each gets.
• Ongoing monitoring. Models drift; the statement expects you to watch performance over time, not validate once and forget.
• Third-party and vendor coverage. Buying a model does not move the risk off your books; the same expectations apply to tools you did not build.

The practical trap is scope. Plenty of tools a firm files under “automation” or “productivity” are models under SS1/23, so the first job is an honest inventory before you decide what each one needs.

What does explainability mean in a regulated firm?

Explainability in financial services is not a single technical feature. It is the ability to give a defensible, plain-language reason for a decision to the person affected, to your own senior manager, and to a supervisor who asks after the fact. A SHAP plot satisfies a data scientist; it does not satisfy a customer who was declined or an FCA reviewer testing your Consumer Duty outcomes.

This is why model choice is a governance decision, not just a performance one. The more a use case affects a customer or a regulatory record, the more the explainability requirement constrains what you can deploy, and a marginally more accurate model that nobody can interrogate is often the wrong choice in a regulated setting. The defensible pattern is to match the model’s opacity to the use case’s stakes, keep a human in the loop wherever a decision is contestable, and document the rationale at the point of the decision rather than reconstructing it under pressure later.

A controls table: use case, risk, and the control that makes it deployable

The table below maps common financial services AI use cases to the dominant regulatory risk and the control that makes each one defensible to deploy. It is a planning aid for scoping, not a compliance sign-off; your compliance function and authorised advisers own the final call.

The honest read of that table: the controls do not change much by technology, but the effort does. Internal, human-reviewed tools clear the bar quickly, while anything that decides something about a customer carries the full weight of SS1/23 and the Consumer Duty, so that is where the time and the validation budget go.

How do you adopt AI safely in a regulated firm?

Start where the conduct risk is lowest and the value is easy to evidence, then earn your way up to the harder use cases. Internal, human-in-the-loop tools, such as summarisation, knowledge search over your own policies, and drafting support, let a firm build the data controls, acceptable-use policy, and oversight muscle on low-stakes ground before anything touches a customer decision.

A defensible adoption sequence looks like this in practice.

• Inventory first. List every AI system in use or planned, including shadow tools staff already use, and record what data each touches and whose outcomes it affects.
• Classify by impact, not by hype. Separate internal-only tools from anything that influences a customer outcome, a capital figure, or a regulatory return; the second group is where SS1/23 and the Consumer Duty land.
• Set data controls before deployment. Decide where data goes, whether it can train a third-party model, and how you evidence GDPR and confidentiality, which is where our private AI work fits for firms that need data to stay in their control.
• Name the accountable senior manager. SM&CR means someone owns each material AI outcome; make that explicit at the start rather than discovering it during a review.
• Build validation and monitoring in, not on. For models in scope of SS1/23, independent validation and ongoing monitoring are part of the design, not a later add-on.

OpenKit works with UK financial firms on this adoption work, from the AI financial services capability through to design and build. We are not FCA authorised and not a regulator, so we operate alongside your compliance function: we help you scope which use cases are safe to deploy, design the controls and oversight, and build the systems, while your authorised advisers own the regulatory positions. An independent AI audit is often the right first step, because it gives you an inventory and a risk view before you commit to a build, and our AI governance and compliance work covers the documentation and oversight architecture that makes a system defensible rather than performative.

Rethink what's possible with AI

Book a free strategy session and find where AI fits your business, and where it does not

• Free consultation
• No commitment required
• Honest advice on where AI helps

Start AI Project Email Us Instead

Typical response time: within 24 hours

Frequently asked questions

References

1. Financial Conduct Authority. AI Update (April 2024), accessed on 29 May 2026, https://www.fca.org.uk/publication/corporate/ai-update.pdf
2. Bank of England and Financial Conduct Authority. Artificial intelligence in UK financial services survey, accessed on 29 May 2026, https://www.bankofengland.co.uk/report/2024/artificial-intelligence-in-uk-financial-services-2024
3. Financial Conduct Authority. Consumer Duty, accessed on 29 May 2026, https://www.fca.org.uk/firms/consumer-duty
4. Prudential Regulation Authority. (2023). Supervisory Statement SS1/23: Model risk management principles for banks, accessed on 29 May 2026, https://www.bankofengland.co.uk/prudential-regulation/publication/2023/may/model-risk-management-principles-for-banks-ss
5. Information Commissioner’s Office. Guidance on AI and data protection, accessed on 29 May 2026, https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/