AI governance, FCA compliance and operational resilience
Practical Guide: Implementing an AI Compliance Framework After the Mills Review
For large UK advice firms, wealth managers, mortgage networks and consolidators
Core recommendation
Large advice firms should treat the Mills Review as an early signal to formalise AI governance now. The practical priority is not to wait for a standalone AI rulebook, but to build a controlled, evidence-led framework that fits Consumer Duty, SM&CR, data protection, operational resilience, financial crime and existing compliance oversight.
Executive Summary
The FCA's Mills Review, published on 6 July 2026, sets out how AI could reshape retail financial services by 2030 and beyond. It describes a shift from human-led, episodic financial activity towards AI-enabled, continuous and delegated services. For large advice firms, the most important implication is operational: AI governance will need to become a standing compliance capability, not a technology side project.
This guide translates the Review's seven FCA-facing recommendations into practical changes large advice firms should begin making across governance, oversight, data, vendor management, human review, client outcomes, monitoring and evidence.
- Immediate priority: create a controlled AI inventory and classify every use case by client impact, autonomy, data sensitivity and regulatory risk.
- Governance priority: define who owns AI risk, who approves use cases, what human oversight means in practice, and how challenge and escalation are recorded.
- Compliance priority: move from periodic policy review towards live monitoring, management information, auditability and clear evidence of control.
- Operational priority: centralise AI-related evidence so compliance, risk, operations and senior managers can see how AI is being used and whether controls are working.
1. What the Mills Review changes for advice-firm compliance
The Mills Review is directed at the FCA Board and Executive, not at advice firms as a new rulebook. However, it gives a strong indication of how supervisory expectations may evolve as AI becomes more autonomous, embedded and influential in consumer journeys.
| Mills Review signal | Practical meaning for large advice firms | Compliance response |
|---|---|---|
| AI-enabled, continuous and delegated services | AI may sit inside advice operations, monitoring, onboarding, servicing, compliance review and client communications. | Create a full AI use-case register and approval process. |
| Human oversight must be specific | It will not be enough to say a person remains 'in the loop'. The firm must define what the person reviews, when they intervene and how challenge is evidenced. | Document human oversight protocols for each material AI use case. |
| AI governance becomes a core capability | AI systems may update continuously, use third-party inputs, and create probabilistic outputs. | Introduce live monitoring, drift checks, performance review and exception reporting. |
| Third-party dependency increases | Firms may depend on AI providers, infrastructure and specialist vendors for important operational capability. | Strengthen vendor due diligence, data controls, contractual oversight and exit planning. |
| FCA supervision may become more AI-enabled | Future supervision may expect richer, more structured, more accessible evidence from firms. | Improve compliance MI, data quality and audit trails now. |
2. Translate the seven recommendations into firm-level actions
| FCA recommendation | Firm-level implication | First practical action |
|---|---|---|
| 1. Secure and adapt the regulatory perimeter. | Map where AI is used in regulated, quasi-regulated and support activities. Pay close attention to client-facing guidance, triage, suitability support, vulnerability identification and communications. | Complete an AI regulatory impact map. |
| 2. Strengthen system-wide coordination and oversight. | Create a cross-functional AI governance forum involving compliance, risk, operations, technology, data protection, financial crime and senior management. | Set up an AI governance forum and terms of reference. |
| 3. Monitor the transition to autonomous models. | Classify use cases by autonomy level: assistive, recommendation, decision support, delegated action or autonomous monitoring. Apply tighter controls as autonomy increases. | Create an autonomy risk classification model. |
| 4. Scale up innovation through the FCA AI Lab. | Use FCA AI Lab outputs, AI good and poor practice, and regulatory engagement as benchmark material for internal assurance. | Assign a horizon-scanning owner for FCA AI outputs. |
| 5. Enable the foundations for agentic finance. | Prepare for consumer journeys where third-party AI agents may compare, prompt, challenge or transact on behalf of clients. Review permissions, identity, consent, data access and recordkeeping. | Run an agent-led client journey workshop. |
| 6. Build an AI-enabled agentic supervisory model. | Assume supervisory interactions will become more data-led. Improve structured compliance evidence, MI quality, issue tracking and demonstrable control effectiveness. | Build an AI controls MI pack. |
| 7. Develop a public-interest AI-enabled financial capability service. | Consider how clients may arrive better informed, differently informed or misinformed by AI tools. Update client communication, vulnerability, disclosure and advice-boundary controls. | Refresh advice-boundary and client education controls. |
3. The practical AI compliance framework
Large advice firms should implement a framework that is proportionate to the role AI plays in the business. The framework should cover internal AI tools, vendor AI, embedded AI in existing platforms, AI used by appointed representatives or advisers, and AI interactions that affect clients indirectly.
AI policy and risk appetite
Define permitted, restricted and prohibited AI use; set approval thresholds; link the policy to Consumer Duty, SM&CR, data protection, financial crime, vulnerable customers and operational resilience.
AI use-case register
Record every AI use case, including owner, purpose, business area, data used, vendor, autonomy level, client impact, control owner, approval status and review date.
Client impact assessment
Assess whether the use case affects advice quality, suitability, communications, vulnerability treatment, product recommendations, complaint handling, fees, servicing or client understanding.
Human oversight protocol
Define what the human reviewer sees, what they must check, when they can override, how disagreement is recorded and when escalation is mandatory.
Data governance controls
Confirm source data quality, permission, minimisation, retention, access control, data leakage controls and how client data is protected when using external tools.
Model and vendor due diligence
Review model purpose, limitations, explainability, security, data use, subcontractors, service resilience, audit rights, monitoring support and exit options.
Testing and validation
Test outputs before deployment and after material change. Include accuracy, bias, hallucination, suitability risk, vulnerability handling, complaints risk and operational failure modes.
Live monitoring and MI
Monitor usage, exceptions, overrides, complaints, outliers, drift, adviser reliance, client harm indicators and control breaches through a standing MI pack.
Recordkeeping and audit trail
Retain evidence of approvals, prompts where appropriate, output review, adviser decisions, client-impact checks, issues, remediation and senior management review.
Assurance and continuous improvement
Schedule second-line reviews, internal audit testing, board reporting, lessons learned, policy refreshes and training updates.
4. Priority changes large advice firms should make
The following changes are the highest-value starting point for firms that already use AI informally or through existing platforms, but have not yet formalised AI-specific compliance oversight.
- Move from informal AI use to controlled AI inventory
Advisers and operational teams may already be using AI tools to draft, summarise, analyse or triage information. The firm needs visibility before it can control risk.
- Move from generic human-in-the-loop statements to defined oversight
For each use case, document the expected human role: operator, collaborator, consultant, approver or observer. The higher the autonomy, the stronger the evidence requirement.
- Move from technology procurement to regulatory due diligence
AI vendor review should include regulatory impact, data use, model limitations, change notification, audit support and resilience, not just security and commercial terms.
- Move from periodic sampling to live control monitoring
Where AI operates continuously, compliance oversight should include ongoing metrics, exceptions, override rates and outcome indicators.
- Move from fragmented records to a single source of truth
AI approvals, risk assessments, monitoring, incidents and senior management updates should be centrally held and easy to evidence.
5. Governance model for large firms
A large firm should avoid leaving AI governance entirely inside technology, compliance or operations. The operating model should make ownership clear across the three lines of defence while preserving senior accountability.
| Forum / owner | Role | Minimum cadence | Evidence produced |
|---|---|---|---|
| Board / Executive Committee | Approve AI risk appetite, oversee material risks, review significant incidents and client-outcome trends. | Quarterly | Board AI risk report, appetite statement, decision log |
| SMF16 / Compliance Director | Own compliance interpretation, second-line challenge and control effectiveness for regulated use cases. | Monthly | Compliance AI MI, exceptions, remediation tracking |
| AI Governance Forum | Approve use cases, review risk assessments, monitor vendor and data controls, coordinate policy updates. | Monthly | Use-case approvals, control attestations, risk decisions |
| Data Protection / Security | Assess data use, access, retention, leakage, cyber and operational resilience implications. | At approval and change | DPIAs, security reviews, resilience assessments |
| Business Owner | Own the operational use case, user training, adherence to controls and first-line monitoring. | Ongoing | Use logs, training records, issue reports |
| Internal Audit / Assurance | Test whether the framework works in practice and whether evidence supports senior management confidence. | Annual or risk-based | Audit report, findings, management actions |
6. Practical roadmap
| Phase | Objective | Key actions | Evidence by end of phase |
|---|---|---|---|
| 0-30 days | Gain visibility | Identify existing AI use; issue interim usage guidance; nominate owners; block high-risk uncontrolled use. | Initial AI inventory, interim policy note, named owners |
| 30-90 days | Put controls around material use | Classify use cases; approve or pause high-impact tools; complete vendor and data checks; define human oversight. | Risk assessments, oversight protocols, vendor due diligence |
| 90-180 days | Build management information | Launch AI governance forum; create MI pack; monitor exceptions, overrides, incidents and client-impact indicators. | Forum minutes, MI pack, issue log, remediation plan |
| 6-12 months | Embed assurance | Run second-line testing; refresh training; benchmark against FCA AI good and poor practice when released; report to board. | Assurance report, training evidence, board update |
7. Minimum evidence pack for an AI compliance framework
The evidence pack should make it easy for senior management, compliance, risk and future supervisors to understand what AI is used for, why it is controlled, and whether the controls are working.
- AI policy and risk appetite statement.
- AI use-case register with autonomy and client-impact classification.
- AI client impact assessment template.
- AI vendor due diligence checklist and approved-vendor list.
- Human oversight protocol for each material use case.
- Data protection and information security assessment.
- Testing, validation and monitoring records.
- AI incident, issue and override log.
- Compliance MI pack for senior management and board reporting.
- Training records and adviser/employee attestations.
- Annual assurance plan and completed review findings.
8. BAT Software perspective
The Mills Review reinforces a direction BAT has already been seeing across the advice market: compliance is becoming more operational, more data-led and more dependent on structured evidence. For large firms, AI compliance will not be managed well through scattered documents, informal approvals or isolated technology decisions.
A centralised compliance operating model gives firms a practical foundation: one place to manage oversight activity, evidence, file reviews, exceptions, MI and senior management visibility. As AI becomes more embedded in advice operations, this centralised view becomes more important, because the firm must be able to show not only that controls exist, but that they are working.
9. Board and SMF16 discussion questions
- Do we know where AI is already being used across advisers, operations, compliance, marketing and client servicing?
- Which AI use cases could affect client understanding, suitability, vulnerability, complaints, AML, financial crime or Consumer Duty outcomes?
- Have we defined what human oversight means for each material AI use case?
- Can we evidence the data, prompt, output, review decision and escalation pathway where AI supports regulated activity?
- Do our vendors give us enough transparency, monitoring support, contractual control and exit capability?
- What AI-related MI should the board, SMF16 and compliance leadership see each month or quarter?
- What would we show the FCA if asked how AI is governed across the firm?
10. Publication and approval caveats
- This guide is a practical marketing and compliance-operations guide, not legal advice.
- The Mills Review makes recommendations for the FCA Board and Executive to consider; it does not itself create a new FCA rulebook for advice firms.
- Any firm-specific framework should be reviewed against the firm's permissions, business model, technology stack, data arrangements, outsourcing, SM&CR responsibilities and Consumer Duty governance.
- References to AI compliance should be approved by compliance, legal and product owners before external publication.
Source notes
- The Mills Review: AI and the future of retail financial services Financial Conduct Authority, published 6 July 2026.
- FCA publishes landmark review into the impact of AI on retail financial services Financial Conduct Authority press release, published 6 July 2026.
- BAT Software Shared business context and positioning guidance.
Turn AI governance into evidence you can manage
BAT helps advice firms centralise compliance oversight, structured evidence, management information and AI-assisted file checking, while preserving the firm's own governance and accountability.