AI in UK financial services: FCA expectations, UK GDPR, and the steps firms need to get right

AI in UK Financial Services: What FCA and Data Protection Mean for Deployment

AI is now part of how UK financial institutions run risk, fight fraud, serve customers, and design products. That means AI systems and tools, whether in-house or from vendors, sit inside regulated activity and business processes.

If you're deploying AI, you're working under two overlapping regimes: the FCA framework and the UK data protection regime. Treat them as one operating system for safe, compliant scale.

1) FCA expectations for AI use

The FCA's approach

The FCA supervises AI through existing rules, not a standalone AI rulebook. If AI touches a regulated activity or customer path, the usual obligations apply.

Two areas bite hardest: Consumer Duty (PRIN 2A) and governance/accountability under SM&CR and SYSC. If AI influences product design, distribution, pricing, eligibility, fraud controls, servicing, complaints, or communications, you need clear oversight and evidence of good outcomes.

The FCA also set up practical routes to test and learn with supervisors involved: a supercharged sandbox, AI Live Testing, and AI Spotlight projects. Expect ongoing coordination with the ICO where AI meets data protection.

Useful reference: Consumer Duty overview from the FCA here.

What this means in practice

• Governance and accountability (SM&CR / SYSC): Assign an owner for each AI-enabled process. Record approvals before go-live. Define controls and change gates. Monitor performance and set clear escalation paths for bias, drift, errors, outages, and any customer harm.
• Consumer Duty evidence: Keep an evidence pack for customer-facing use cases. Show how you tested for outcomes at design and deployment, how you monitor post-launch, and how you fix issues quickly.
• Third-party and outsourcing: If AI is delivered by a supplier (cloud, model-as-a-service, or embedded in a platform), treat the AI capability as part of the outsourced service. Contracts and oversight should cover due diligence, service continuity, audit rights, access to data/models, incident reporting, and exit/transition rights.
• Operational resilience: Where AI supports an important business service, map dependencies end-to-end. Test plausible failures against impact tolerances. Cover AI-specific scenarios in incident response, like data quality degradation and model drift.
• Record-keeping and auditability: Keep proportionate records of governance decisions, testing/validation results, and monitoring MI. You'll need this for supervisors and customer complaints.
• Regulatory engagement: If you use FCA initiatives (e.g., AI Live Testing), be clear on the objective-assurance, governance learning, or control validation. Document outcomes, remediation, and updated controls.

2) Data protection requirements for AI

The legal framework

Where AI processes personal data, the UK GDPR and DPA 2018 apply. The Data (Use and Access) Act 2025 will amend parts of this framework once commenced.

Lawfulness, fairness, and transparency set the baseline. Identify an Article 6 lawful basis and, if relevant, an Article 9 condition for special category data. Define the purpose up front and limit use accordingly, including training and any secondary use. Provide clear information under Articles 13-14 about how the AI is used and how it affects people.

Check whether AI makes-or materially informs-decisions with legal or similarly significant effects. If those decisions are solely automated, Article 22 UK GDPR applies and you'll need safeguards: the ability for human intervention, a way to express a view, and to contest outcomes. The DUA Act replaces Article 22 with Articles 22A-22D once in force; until then, apply the current regime and ICO guidance. Run a DPIA where risk is likely to be high.

Explanations matter. If AI informs decisions about individuals, be ready to provide meaningful explanations that match your transparency statements and what your systems can show. The ICO's guidance is a good benchmark: Explaining decisions made with AI.

Operational implications you'll feel

• Role allocation and contracting: Decide who is controller, processor, or joint controller. Reflect that in contracts. Include Article 28 terms for processors, audit/assurance rights, limits on supplier re-use (including training), retention/deletion, sub-processor controls, and incident cooperation.
• Security and incident handling: Implement appropriate measures under Article 32-access controls, logging, and safeguards against unauthorised disclosure. Make sure breach assessment and notification are workable and fit with your FCA operational resilience playbook where relevant.
• Rights handling: Make DSARs workable at scale (and manage third-party data and redactions). Set a clear process to handle objections, rectification, and challenges to AI-generated inferences or outcomes, including investigation and remediation.
• International data flows: Map cross-border access in your AI stack and apply transfer mechanisms that are practical to operate (adequacy, IDTA, or UK Addendum to the EU SCCs).

What "good" looks like inside a firm

• Use-case inventory: Catalogue AI use across risk, fraud, customer service, and product. Mark where it touches regulated activities and personal data.
• Decision design: For decisions that affect individuals, define what "meaningful human involvement" actually means and who is accountable.
• Model risk basics: Data quality gates, performance thresholds, drift alerts, rollback plans, and periodic revalidation.
• Supplier playbook: Standard due diligence, DPIA inputs, and a contract checklist covering data, models, continuity, audit, and exit.
• Testing regime: Pre- and post-deployment checks for bias and accuracy, plus end-to-end testing of customer paths against Consumer Duty.
• Resilience drills: Simulation of AI-specific failures-bad inputs, broken features, degraded models-and how you restore service within tolerance.
• Evidence pack: Decision logs, validation reports, monitoring dashboards, and Board updates you can show to the FCA or the ICO.

Bottom line

AI in UK financial services sits under a dual compliance setup: FCA conduct/governance/resilience and UK data protection. Build the controls into your design, write them into contracts, and keep the evidence. That's how you scale AI with confidence and handle supervisory questions fast.

Want practical enablers?

See curated AI tools for finance that teams are actually using: AI tools for finance. If you're building team capability by role, this catalog can help: AI courses by job.