AI for UK Financial Services | OpenKit

AI for UK financial services.

AI is moving into UK financial services faster than most firms know how to assess it under SMCR and Consumer Duty. We help you map where it fits in your firm, and build bespoke systems where the work calls for it. Across wealth managers, IFAs, fintech SMEs, retail bank teams and treasury functions.

Book a discovery call Run the readiness check first
ISO 27001 certified FCA SYSC aligned SMCR audit trail
UK financial services office at work
75%
of UK financial services firms now use AI in some form.
Source: Bank of England / FCA AI survey, 2024

OpenKit helps UK financial services firms — wealth managers, IFAs, fintech SMEs, retail bank teams and treasury functions — work out where AI fits across their firm and builds bespoke systems where the work calls for it. Delivery aligns with FCA SYSC operational resilience, Consumer Duty, SMCR personal accountability, PRA SS1/23 where in scope, and the Data (Use and Access) Act 2025 ADM safeguards. OpenKit holds ISO 27001, ISO 9001, and Cyber Essentials certifications.

OpenKit is a UK AI consulting firm that helps financial services firms — wealth managers, IFAs, fintech SMEs, retail bank teams and treasury functions — work out where AI fits across their firm and builds bespoke systems where the work calls for it. OpenKit delivers client document understanding, advisor and complaints copilots, regulatory reporting workflows, and private knowledge systems shaped to each firm's own permissions and stack, aligned with FCA SYSC, Consumer Duty, SMCR and the post-DUAA automated-decision regime. OpenKit has ISO 27001, ISO 9001, and Cyber Essentials certifications and works with clients across the United Kingdom from a base in Cambridge.

What we keep hearing
from financial services leaders.

Four patterns we see in every financial-services audit. Each one is also a reason most off-the-shelf AI rollouts stall before the supervisor sees them.

46%
of UK financial services firms report only partial understanding of how their own AI systems work.

Adoption has outrun governance.

75% of UK firms now use AI. The board has approved the spend; the team has shipped the pilot — and nobody can name the senior manager who owns the model under SMCR.

Source: Bank of England / FCA AI survey, 2024.
PATTERN 02

Senior managers carry personal liability.

The FCA's position is that delegating a decision to an algorithm does not delegate legal accountability under SMCR. The Mills Review is expected to set binding-in-all-but-name guidance on what senior-manager oversight of AI looks like.

FCA Mills Review · SMCR personal accountability framework
PATTERN 03

The new ADM regime forces human-in-the-loop.

Section 80 of the Data (Use and Access) Act 2025 came into force on 5 February 2026, replacing UK GDPR Article 22. Significant decisions now require explanations, representations, and a human reviewer with real authority to override the AI.

Data (Use and Access) Act 2025 · in force 5 Feb 2026
PATTERN 04

Customer data cannot leave the controlled environment.

Consumer Duty, SYSC operational resilience and PRA SS1/23 all push toward AI inside the firm's controlled estate — with audit logging, model-risk evidence and data lineage available on request.

FCA SYSC · PRA SS1/23 model risk management principles

Where AI tends to fit
in UK financial services.

These are the areas that come up most often in financial-services audits. We don't ship them off the shelf. Every implementation is shaped to your firm, your stack, and what is safe to defend under SMCR and Consumer Duty.

Financial advisor reviewing onboarding documents
01 — Client document understanding

Under Consumer Duty, with citation built in.

KYC and AML onboarding, suitability evidence, complex client correspondence, suitability-letter drafting against the firm's own templates. Every output anchored to the source paragraph so an advisor or compliance reviewer can verify before the document leaves the firm.

  • Onboarding extraction with zero-retention OCR
  • Suitability letter drafting against firm templates
  • Cited against source paragraph on every clause
  • Audit log retained per FCA SYSC and ICO guidance
02 — Advisor & complaints copilots

The audit trail is the product.

Suitability checks, fair-value review, complaints triage. Every interaction logged with timestamp, prompt, retrieved context, model version and confidence so the responsible senior manager has a defensible per-case trail.

  • Suitability check copilots for wealth / IFA
  • Fair-value review for product teams
  • Complaints triage with reason-code routing
  • Per-case SMCR-ready evidence pack
Trading floor and regulatory reporting
03 — Regulatory reporting

LLMs extract. Rules decide. Both are traced.

Transaction reporting reconciliation, fair-value MI, complaints MI, AML/CTF risk dashboards. The Kaption build is the worked example — four-step framework, AI extracts and tests, the conclusion is derived from rules.

  • Transaction reporting reconciliation
  • Fair-value MI assembled from source records
  • AML/CTF dashboards with rule-derived verdicts
  • Langfuse-traced prompt versioning end-to-end
04 — Internal knowledge systems

Searchable, cited answers from the Handbook and your own materials.

Assistants that answer questions from the FCA Handbook sections that apply to your permissions, your SYSC manual, complaints precedent, prior suitability letters and committee minutes, citing where every answer came from. Refuses out-of-scope. Stays inside your controlled environment.

  • Scoped to the Handbook sections your permissions cover
  • SYSC manual and complaints precedent indexed
  • Refuses out-of-scope, never invents a citation
  • Runs inside your controlled environment

An example of what this can look like in practice.

A suitability check with the audit trail built in. Drafts the suitability check from the fact-find, cites the relevant Handbook paragraphs, and queues for advisor sign-off. Every step retained for SMCR. We shape work like this around your existing workflow rather than ship it off the shelf.

Financial advisor reviewing data on screen
Draft only · Advisor sign-off required The model never books. It never updates a client record. The named senior manager owns every AI-assisted output.

The model drafts. The advisor signs off. The SMCR holder owns it.

Work shaped like this for financial services follows a consistent shape — the model never autoreplies, never updates a client record on its own, never books a transaction without an advisor of record signing the draft. The audit log retains the prompt, the cited paragraphs, the advisor's edits, and the final.

  • Fact-find in, structured suitability check out
  • Cited against FCA Handbook + firm templates
  • Always queues for advisor sign-off — never autoreplies
  • Audit log retained per FCA SYSC and ICO guidance
  • Runs inside your controlled environment

How we engage.

Most engagements start with the audit. What follows depends on what it surfaces. Many firms move into a transformation block on their existing CRM and Microsoft 365 estate, some take on a senior AI lead to carry the SMCR-facing work, and a few commission a bespoke build where nothing off-the-shelf will fit.

See the full engagement model on How We Work →

AUDIT
AI Audit for financial services.

A fixed-fee, fixed-scope audit of where AI fits across your advisor, compliance and operational work. Ends with a written report you can take to a board or an audit committee, and a prioritised rollout plan.

TRANSFORMATION BLOCK
Build on your stack.
Train your team.

A block of configuration, build and training on your existing CRM and Microsoft 365 estate. The team that runs the audit is the team that ships the work, so nothing gets lost between findings and delivery.

SENIOR AI LEAD
Senior engineer
on retainer.

A senior OpenKit engineer becomes part of your team. Not an advisor attending steering groups, an engineer in the codebase, taking on the model-risk evidence work and the next quarter's roadmap. Rolling arrangement, cancel anytime.

BESPOKE BUILDS
Custom AI systems
built for the firm.

For work that goes beyond configuration. A controls-testing platform (the Kaption pattern), a private knowledge engine over the Handbook sections that apply to your permissions, a multi-agent suitability checker. Scoped after the audit, since the scope depends on what the audit surfaces.

The UK financial-services
stack we integrate with.

We build on your existing CRM, platform, and Microsoft 365 estate. No rip-and-replace. Below is a sample of what we routinely integrate with. We work across many other systems too, so bring us your stack.

/ business systems

  • Microsoft 365 · SharePoint
  • Salesforce (UK)
  • Power Automate
  • REST / SOAP APIs
  • On-prem PostgreSQL

/ document & OCR

  • M365 document libraries
  • AWS S3 (UK region)
  • Zero-retention OCR (Textract)
  • DocuSign · Adobe Sign
  • Custom OCR pipelines

/ identity & access

  • Microsoft Entra ID
  • SAML 2.0 / OIDC
  • Role-based access control
  • Full audit logging
  • Per-case access trails

/ LLM deployment

  • Claude UK / EU region
  • OpenAI on Azure UK / EU
  • Open-weights on private GPU
  • On-prem for sovereign
  • Langfuse trace logging
REGULATED CONTROLS: ISO 27001 ISO 9001 Cyber Essentials UK GDPR

Engagements we have run
in financial services and audit-tech.

A sample of recent work. Some clients are named with permission; others stay anonymised. Outcomes described without internal artefacts.

— 01

Kaption

AI controls audit Four-step framework Langfuse-traced Named with permission
A six-week MVP of an AI controls-testing platform for an audit-tech founder, built around a four-step deterministic framework where the model extracts and tests but the conclusion is derived from rules. EU data sovereignty on AWS, zero-retention OCR via Textract, Langfuse for prompt versioning and trace logging, cell-level citation trails on every answer.
OutcomeAlpha batch test: 79.5% alignment with the human auditor on first pass, projected 93–95% post-fix. Failure modes published in full alongside the remediation plan.
— 02

A UK private-client advisory firm

Multi-site Suitability + onboarding Proposal stage Anonymised
Audit-first scope: map AI fit across the firm's existing advisory and document workflows, identify SMCR ownership for any AI-assisted suitability decision, and propose a Transformation Block roadmap inside the existing Microsoft 365 / CRM stack.
OutcomeAudit scope agreed. SMCR ownership grid drafted. Transformation Block proposal in flight.

The regulatory floor
we build on.

What we hold and what we operate to. We surface gaps and propose mitigations. We are not a regulatory certifying body.

CERTIFIED

ISO 27001

Information security management. Independent third-party audited.

CERTIFIED

ISO 9001

Quality management. Independent third-party audited.

CERTIFIED

Cyber Essentials

UK NCSC baseline cyber-hygiene certification.

COMPLIANT

UK GDPR

Data processing register maintained per ICO guidance.

We hold ISO 27001, ISO 9001, and Cyber Essentials certifications independently, and operate to UK GDPR. We are not an auditor and we are not a regulator. Delivery is designed to help the firm meet its own obligations under the UK regulatory regimes that apply to its work. Senior management accountability sits with the firm's SMCR holders.

Questions heads of compliance
and senior managers ask.

What does an AI consultancy for UK financial services actually do?
We audit where AI fits inside your permissions and where it does not, build on the stack you already run (Microsoft 365, your CRM, your platform), and leave a senior engineer in the team to keep the work compliant under Consumer Duty, SMCR and the post-DUAA automated-decision regime. We do not sell strategy decks. The output is an auditable workflow that a senior manager can defend to the FCA.
Will AI replace advisors, paraplanners or compliance reviewers?
No. The FCA's position is that senior managers retain personal accountability under SMCR regardless of how a decision was reached. The DUAA 2025 requires meaningful human intervention by a reviewer with authority and competence to override the AI for any significant decision. We build copilots that let advisors handle more cases at higher consistency, with a citation-anchored audit trail per interaction.
How does this work with the FCA Handbook, Consumer Duty and SMCR?
The audit produces an SMCR ownership grid that names the senior manager accountable for each AI-assisted workflow, a Consumer Duty fair-value and foreseeable-harm review of every workflow where AI touches a customer outcome, and an evidence plan that documents model selection, testing and ongoing monitoring. The FCA confirmed in 2026 that it will not introduce AI-specific rules.
What about PRA SS1/23 if we are a bank or PRA-designated firm?
SS1/23 is technology-agnostic but explicitly captures AI and ML models, and the PRA flagged AI adoption as a 2026 supervisory priority. For PRA-regulated firms we extend the audit to include the SS1/23 five principles and produce model-risk documentation that fits inside your existing MRM framework.
Can we keep client data on-prem or in a UK / EU controlled environment?
Yes. Anthropic Claude on UK / EU regions or OpenAI on Azure UK / EU as the default cloud options, open-weights models on private GPU for sovereign requirements, and full on-prem for firms where data residency rules out cloud LLMs entirely. We also ship zero-retention OCR. Every deployment carries an ISO 27001-aligned audit logging trail and a UK GDPR data processing register.
Does this integrate with our CRM, platform and Microsoft 365 estate?
Our verified integrations include Microsoft 365 (SharePoint, document libraries, Entra ID), Power Automate for workflow integration, Salesforce, REST/SOAP API connections, on-prem PostgreSQL, and Langfuse for prompt versioning and trace logging. We do not name core-banking platforms we have not delivered against; we scope the integration honestly during the audit.
Who is liable if an AI-assisted decision goes wrong under Consumer Duty?
Liability sits where it has always sat under SMCR: with the named senior manager accountable for the function. The DUAA 2025 reinforces this — meaningful human intervention is a statutory safeguard, and a human rubber-stamping the AI output does not meet it. We design the workflow so the human reviewer has the citations, the retrieved context, the model's confidence signal, and a real path to override.
How long does a financial services AI engagement take?
The audit is fixed-fee and fixed-scope. A Transformation Block is a build-and-train engagement priced per scope and ships an integrated pilot inside your existing stack with the team trained on it. The Senior AI Lead is a rolling monthly retainer that begins once you have a Transformation Block in production. A bespoke build (the Kaption pattern) is scoped after the audit. Numbers are shared during a discovery call so we can size against what you actually want to do.
What does it cost?
Pricing is fixed before kickoff and bands are shared on a discovery call. The audit is fixed-fee, the Transformation Block is priced per scope, the Senior AI Lead is a rolling monthly retainer, and bespoke builds are quoted after the audit so the price reflects what the audit actually surfaced. No discovery-call surprises on the invoice. No retainer required to access the audit.
How is OpenKit different from the Big Four or a fractional CAIO consultancy?
The Big Four split strategy and implementation across separate teams on separate budgets; the senior engineer on day one is rarely the senior engineer on day ninety. Faculty AI (now part of Accenture) and the larger Gemini-set firms — Digiterre, Scott Logic, BJSS, Altus Consulting — operate at enterprise scale with day-rate or T&M engagements. The fractional CAIO retainer puts an advisor in the room but does not write code. The productised offerings — Wealth IQ, Dailoqa, Holistic AI — sell a product, not a build against your own corpus. We do both: a senior engineer audits the work, scopes the build, ships the integration, trains the team, and stays on as the Senior AI Lead. Our audit is fixed-fee, which the buyer can self-qualify against without a procurement cycle.
UK FINANCIAL SERVICES
/ start here

Want to find where AI fits
in your firm?

Start with the audit. Fixed fee, fixed scope, a written report you can take to a board or an audit committee, and a prioritised plan for what to build first.

Book a discovery call See the AI Audit
OpenKit Logo

OpenKit

Rethinking What's Possible with AI.

Offices

Cambridge Guildhall, Market Square, Cambridge CB2 3QJ

Portland House, Belmont Business Park, Durham DH1 1TW

contact@openkit.co.uk
ISO 27001 ISO 9001 Cyber Essentials

© 2026 OpenKit. All rights reserved. Company Registration No: 13030838

Privacy Terms Cookies Modern Slavery Act

Start Your AI Project

Thank you for your interest. Enter your project details below and our team will get in contact within 24 hours.

About your AI project

0 / 2,000

About you

By submitting this form, you confirm that you have read and agree to our privacy policy. We will only use your information to respond to your inquiry.