Implementing an AI Compliance Framework After the Mills Review | BAT Software

AI governance, FCA compliance and operational resilience

Practical Guide: Implementing an AI Compliance Framework After the Mills Review

For large UK advice firms, wealth managers, mortgage networks and consolidators

Prepared for BAT Software | Source-led working guide | July 2026
FCA AI governance Consumer Duty SM&CR Compliance MI

Core recommendation

Large advice firms should treat the Mills Review as an early signal to formalise AI governance now. The practical priority is not to wait for a standalone AI rulebook, but to build a controlled, evidence-led framework that fits Consumer Duty, SM&CR, data protection, operational resilience, financial crime and existing compliance oversight.

Executive Summary

The FCA's Mills Review, published on 6 July 2026, sets out how AI could reshape retail financial services by 2030 and beyond. It describes a shift from human-led, episodic financial activity towards AI-enabled, continuous and delegated services. For large advice firms, the most important implication is operational: AI governance will need to become a standing compliance capability, not a technology side project.

This guide translates the Review's seven FCA-facing recommendations into practical changes large advice firms should begin making across governance, oversight, data, vendor management, human review, client outcomes, monitoring and evidence.

  • Immediate priority: create a controlled AI inventory and classify every use case by client impact, autonomy, data sensitivity and regulatory risk.
  • Governance priority: define who owns AI risk, who approves use cases, what human oversight means in practice, and how challenge and escalation are recorded.
  • Compliance priority: move from periodic policy review towards live monitoring, management information, auditability and clear evidence of control.
  • Operational priority: centralise AI-related evidence so compliance, risk, operations and senior managers can see how AI is being used and whether controls are working.

1. What the Mills Review changes for advice-firm compliance

The Mills Review is directed at the FCA Board and Executive, not at advice firms as a new rulebook. However, it gives a strong indication of how supervisory expectations may evolve as AI becomes more autonomous, embedded and influential in consumer journeys.

How the Mills Review signals translate into practical compliance responses
Mills Review signalPractical meaning for large advice firmsCompliance response
AI-enabled, continuous and delegated servicesAI may sit inside advice operations, monitoring, onboarding, servicing, compliance review and client communications.Create a full AI use-case register and approval process.
Human oversight must be specificIt will not be enough to say a person remains 'in the loop'. The firm must define what the person reviews, when they intervene and how challenge is evidenced.Document human oversight protocols for each material AI use case.
AI governance becomes a core capabilityAI systems may update continuously, use third-party inputs, and create probabilistic outputs.Introduce live monitoring, drift checks, performance review and exception reporting.
Third-party dependency increasesFirms may depend on AI providers, infrastructure and specialist vendors for important operational capability.Strengthen vendor due diligence, data controls, contractual oversight and exit planning.
FCA supervision may become more AI-enabledFuture supervision may expect richer, more structured, more accessible evidence from firms.Improve compliance MI, data quality and audit trails now.

2. Translate the seven recommendations into firm-level actions

The seven FCA-facing recommendations and the first practical action for advice firms
FCA recommendationFirm-level implicationFirst practical action
1. Secure and adapt the regulatory perimeter.Map where AI is used in regulated, quasi-regulated and support activities. Pay close attention to client-facing guidance, triage, suitability support, vulnerability identification and communications.Complete an AI regulatory impact map.
2. Strengthen system-wide coordination and oversight.Create a cross-functional AI governance forum involving compliance, risk, operations, technology, data protection, financial crime and senior management.Set up an AI governance forum and terms of reference.
3. Monitor the transition to autonomous models.Classify use cases by autonomy level: assistive, recommendation, decision support, delegated action or autonomous monitoring. Apply tighter controls as autonomy increases.Create an autonomy risk classification model.
4. Scale up innovation through the FCA AI Lab.Use FCA AI Lab outputs, AI good and poor practice, and regulatory engagement as benchmark material for internal assurance.Assign a horizon-scanning owner for FCA AI outputs.
5. Enable the foundations for agentic finance.Prepare for consumer journeys where third-party AI agents may compare, prompt, challenge or transact on behalf of clients. Review permissions, identity, consent, data access and recordkeeping.Run an agent-led client journey workshop.
6. Build an AI-enabled agentic supervisory model.Assume supervisory interactions will become more data-led. Improve structured compliance evidence, MI quality, issue tracking and demonstrable control effectiveness.Build an AI controls MI pack.
7. Develop a public-interest AI-enabled financial capability service.Consider how clients may arrive better informed, differently informed or misinformed by AI tools. Update client communication, vulnerability, disclosure and advice-boundary controls.Refresh advice-boundary and client education controls.

3. The practical AI compliance framework

Large advice firms should implement a framework that is proportionate to the role AI plays in the business. The framework should cover internal AI tools, vendor AI, embedded AI in existing platforms, AI used by appointed representatives or advisers, and AI interactions that affect clients indirectly.

AI policy and risk appetite

Define permitted, restricted and prohibited AI use; set approval thresholds; link the policy to Consumer Duty, SM&CR, data protection, financial crime, vulnerable customers and operational resilience.

AI use-case register

Record every AI use case, including owner, purpose, business area, data used, vendor, autonomy level, client impact, control owner, approval status and review date.

Client impact assessment

Assess whether the use case affects advice quality, suitability, communications, vulnerability treatment, product recommendations, complaint handling, fees, servicing or client understanding.

Human oversight protocol

Define what the human reviewer sees, what they must check, when they can override, how disagreement is recorded and when escalation is mandatory.

Data governance controls

Confirm source data quality, permission, minimisation, retention, access control, data leakage controls and how client data is protected when using external tools.

Model and vendor due diligence

Review model purpose, limitations, explainability, security, data use, subcontractors, service resilience, audit rights, monitoring support and exit options.

Testing and validation

Test outputs before deployment and after material change. Include accuracy, bias, hallucination, suitability risk, vulnerability handling, complaints risk and operational failure modes.

Live monitoring and MI

Monitor usage, exceptions, overrides, complaints, outliers, drift, adviser reliance, client harm indicators and control breaches through a standing MI pack.

Recordkeeping and audit trail

Retain evidence of approvals, prompts where appropriate, output review, adviser decisions, client-impact checks, issues, remediation and senior management review.

Assurance and continuous improvement

Schedule second-line reviews, internal audit testing, board reporting, lessons learned, policy refreshes and training updates.

4. Priority changes large advice firms should make

The following changes are the highest-value starting point for firms that already use AI informally or through existing platforms, but have not yet formalised AI-specific compliance oversight.

  • Move from informal AI use to controlled AI inventory

    Advisers and operational teams may already be using AI tools to draft, summarise, analyse or triage information. The firm needs visibility before it can control risk.

  • Move from generic human-in-the-loop statements to defined oversight

    For each use case, document the expected human role: operator, collaborator, consultant, approver or observer. The higher the autonomy, the stronger the evidence requirement.

  • Move from technology procurement to regulatory due diligence

    AI vendor review should include regulatory impact, data use, model limitations, change notification, audit support and resilience, not just security and commercial terms.

  • Move from periodic sampling to live control monitoring

    Where AI operates continuously, compliance oversight should include ongoing metrics, exceptions, override rates and outcome indicators.

  • Move from fragmented records to a single source of truth

    AI approvals, risk assessments, monitoring, incidents and senior management updates should be centrally held and easy to evidence.

5. Governance model for large firms

A large firm should avoid leaving AI governance entirely inside technology, compliance or operations. The operating model should make ownership clear across the three lines of defence while preserving senior accountability.

Suggested ownership, cadence and evidence across the three lines of defence
Forum / ownerRoleMinimum cadenceEvidence produced
Board / Executive CommitteeApprove AI risk appetite, oversee material risks, review significant incidents and client-outcome trends.QuarterlyBoard AI risk report, appetite statement, decision log
SMF16 / Compliance DirectorOwn compliance interpretation, second-line challenge and control effectiveness for regulated use cases.MonthlyCompliance AI MI, exceptions, remediation tracking
AI Governance ForumApprove use cases, review risk assessments, monitor vendor and data controls, coordinate policy updates.MonthlyUse-case approvals, control attestations, risk decisions
Data Protection / SecurityAssess data use, access, retention, leakage, cyber and operational resilience implications.At approval and changeDPIAs, security reviews, resilience assessments
Business OwnerOwn the operational use case, user training, adherence to controls and first-line monitoring.OngoingUse logs, training records, issue reports
Internal Audit / AssuranceTest whether the framework works in practice and whether evidence supports senior management confidence.Annual or risk-basedAudit report, findings, management actions

6. Practical roadmap

A phased roadmap for formalising AI compliance oversight
PhaseObjectiveKey actionsEvidence by end of phase
0-30 daysGain visibilityIdentify existing AI use; issue interim usage guidance; nominate owners; block high-risk uncontrolled use.Initial AI inventory, interim policy note, named owners
30-90 daysPut controls around material useClassify use cases; approve or pause high-impact tools; complete vendor and data checks; define human oversight.Risk assessments, oversight protocols, vendor due diligence
90-180 daysBuild management informationLaunch AI governance forum; create MI pack; monitor exceptions, overrides, incidents and client-impact indicators.Forum minutes, MI pack, issue log, remediation plan
6-12 monthsEmbed assuranceRun second-line testing; refresh training; benchmark against FCA AI good and poor practice when released; report to board.Assurance report, training evidence, board update

7. Minimum evidence pack for an AI compliance framework

The evidence pack should make it easy for senior management, compliance, risk and future supervisors to understand what AI is used for, why it is controlled, and whether the controls are working.

  • AI policy and risk appetite statement.
  • AI use-case register with autonomy and client-impact classification.
  • AI client impact assessment template.
  • AI vendor due diligence checklist and approved-vendor list.
  • Human oversight protocol for each material use case.
  • Data protection and information security assessment.
  • Testing, validation and monitoring records.
  • AI incident, issue and override log.
  • Compliance MI pack for senior management and board reporting.
  • Training records and adviser/employee attestations.
  • Annual assurance plan and completed review findings.

8. BAT Software perspective

The Mills Review reinforces a direction BAT has already been seeing across the advice market: compliance is becoming more operational, more data-led and more dependent on structured evidence. For large firms, AI compliance will not be managed well through scattered documents, informal approvals or isolated technology decisions.

A centralised compliance operating model gives firms a practical foundation: one place to manage oversight activity, evidence, file reviews, exceptions, MI and senior management visibility. As AI becomes more embedded in advice operations, this centralised view becomes more important, because the firm must be able to show not only that controls exist, but that they are working.

9. Board and SMF16 discussion questions

  • Do we know where AI is already being used across advisers, operations, compliance, marketing and client servicing?
  • Which AI use cases could affect client understanding, suitability, vulnerability, complaints, AML, financial crime or Consumer Duty outcomes?
  • Have we defined what human oversight means for each material AI use case?
  • Can we evidence the data, prompt, output, review decision and escalation pathway where AI supports regulated activity?
  • Do our vendors give us enough transparency, monitoring support, contractual control and exit capability?
  • What AI-related MI should the board, SMF16 and compliance leadership see each month or quarter?
  • What would we show the FCA if asked how AI is governed across the firm?

10. Publication and approval caveats

  • This guide is a practical marketing and compliance-operations guide, not legal advice.
  • The Mills Review makes recommendations for the FCA Board and Executive to consider; it does not itself create a new FCA rulebook for advice firms.
  • Any firm-specific framework should be reviewed against the firm's permissions, business model, technology stack, data arrangements, outsourcing, SM&CR responsibilities and Consumer Duty governance.
  • References to AI compliance should be approved by compliance, legal and product owners before external publication.

Source notes

Turn AI governance into evidence you can manage

BAT helps advice firms centralise compliance oversight, structured evidence, management information and AI-assisted file checking, while preserving the firm's own governance and accountability.

Share this update