“The adoption of safe and responsible AI by the financial services industry plays a key role in supporting growth…”
– Jessica Rusu, FCA Chief Data, Information and Intelligence Officer, Innovate Finance Global Summit, July 2025
AI is no longer optional innovation, it’s a board-level opportunity and risk. With the FCA expecting firms to “do the right thing, then evidence it,” readiness is no longer a future state, it’s an immediate priority.
The FCA’s stance is clear: AI is a governance issue. Whether you’re piloting machine learning to help flag compliance issues, or exploring large language models to support agents, the question isn’t “Can we?” but “Should we and how will we stay in control?”
This blog outlines five critical governance conversations every regulated firm should be having. These aren’t theoretical debates, they’re risk-aware, compliance-informed, and operationally grounded prompts to help you assess your firm’s readiness.
Note: For this blog, “AI” includes both assistive tools (e.g. predictive scoring, speech analytics) and automated or decision-support systems.
What is “AI readiness” in a regulated firm?
AI readiness means having more than just capability, it’s about governance, accountability, and cultural preparedness. In the eyes of the FCA, that includes:
- Clear oversight structures, including for assistive AI
- Documented evidence of good outcomes (PRIN 2A.8)
- Avoidance of foreseeable harm to customers (PRIN 2A.9)
- Ongoing monitoring, not just pre-deployment signoff
⚠️ Even if AI isn’t making final decisions, the FCA expects firms to monitor and evidence its influence on outcomes.
1. What problem are we trying to solve with AI?
Before deploying AI, take a breath: What customer or operational problem are we solving and what will success look like?
A clear problem definition ensures AI is purposeful, outcome-focused, and aligned with Consumer Duty.
Use this conversation to:
- Align AI to measurable pain points (e.g. QA backlog, mislabelled complaints)
- Define success through customer outcome and control, not just efficiency
- Anchor to PRIN 2A.4 (Fair value) and PRIN 2A.9 (Foreseeable harm)
🔁 Example: A motor finance firm piloting AI for call QA aligning their use case to missed vulnerability triggers, not just audit volume.
2. How will AI decisions be controlled and audited?
Without explainability, there’s no defensibility. Whether AI is recommending actions or flagging risks, firms must maintain a transparent oversight chain.
Use this conversation to:
- Define how AI outputs are documented, reviewed, and challenged
- Build MI dashboards for continuous performance tracking
- Prepare audit trails to meet PRIN 2A.8 (outcome testing)
⚠️ Even if AI isn’t the decision-maker, its influence must be monitored and evidenced – especially in regulated customer journeys.
🔁 Example: One lender using AI for QA sampling but retaining manual reviews for final scoring, creating dual-layered accountability.
3. Are our teams trained and are we closing the feedback loop?
AI readiness isn’t just about software, it’s about people. Ops leaders must ask: Can our teams work confidently and safely alongside AI?
Training is essential, but so is learning from frontline feedback.
Use this conversation to:
- Provide contextual training for QA teams, agents, and managers
- Establish feedback loops between human reviewers and AI tools
- Set clear escalation routes when outputs don’t align with experience
🔁 Example: A collections firm finding AI missed emotional cues, so they add a feedback button into the QA review workflow to flag potential blind spots.
4. What risks could AI introduce to vulnerable customers?
The more your AI use case touches affordability, emotion, urgency, or complaints, the more care is needed.
Use this conversation to:
- Review AI’s ability to detect emotive nuance, urgency, or distress
- Check whether automation introduces new access or interpretation barriers
- Align usage to vulnerability frameworks and Customer Support Duty
⚠️ PRIN 2A.9 emphasises the need to avoid foreseeable harm, this includes indirect harm from misunderstood or misapplied automation.
🔁 Example: A credit broker flagging concerns about tone analysis AI interpreting assertiveness as aggression, prompting a test-run against actual vulnerable disclosures.
5. Who owns AI governance and are we managing model risk?
Cross-functional ownership is essential, but so is structure. AI governance should mirror your broader risk framework, with tiered accountability and board visibility where appropriate.
And if you’re using third-party AI? Model risk becomes a front-and-centre issue.
Use this conversation to:
- Define tiered ownership: Ops, Risk, Compliance, and Board
- Establish a central governance function or AI steering group
- Address model risk and due diligence for vendor tools
📌 For high-impact use cases, oversight should extend to board-level risk committees—especially where reputational or regulatory consequences are material.
🔁 Example: A lender reviewing a third-party AI vendor conducted a pre-pilot due diligence audit and required model documentation to support explainability obligations.
🎙️ Related: Hear more in our conversation with Product Partnerships on how oversight is evolving across ARs, regtech, and customer journey monitoring.
What AI readiness is not
- Buying an AI tool and assuming governance is built-in
- Delegating AI projects solely to IT or Innovation
- Waiting for formal FCA rules before acting
AI readiness is about accountable innovation, not unchecked experimentation.
AI readiness checklist (quick reference)
Key conversation | What to explore |
|---|---|
What are we solving?
| Is AI clearly tied to customer or operational outcomes? |
How do we audit decisions? | Are outputs reviewable, explainable, and evidenced?
|
Are teams ready? | Is training contextual and feedback flowing both ways? |
Are we protecting vulnerable customers? | Could AI unintentionally harm access or support? |
Who owns governance? | Is oversight clear, tiered, and cross-functional? |
Final thought: AI Is a governance risk and a commercial one
AI readiness isn’t about hype. It’s about protecting your firm’s reputation, resilience, and regulatory standing.
The firms that act now – thoughtfully, transparently, and cross-functionally – will be the ones who innovate without exposure.
