AI in Financial Services: Use Cases, Governance and FCA Expectations
75% of UK financial services firms already use AI, yet only a third fully understand it. Where AI pays off by function, and what the FCA actually expects of your governance.

By Ivan Pylypchuk, CEO of SoftBlues. Has led Claude and automation projects for finance, legal and professional services teams across the UK and Ireland.
AI in financial services is already mainstream: 75% of UK firms use it, mostly in operations, compliance and customer support rather than on trading floors. The FCA has not written an AI rulebook. It applies existing frameworks, chiefly the Consumer Duty and the Senior Managers and Certification Regime, so accountability sits with your firm, not your vendor.
That 75% comes from the Bank of England and FCA's joint survey of 118 firms (Bank of England, Nov 2024). At SoftBlues, an AI implementation firm working with regulated mid-market companies across the UK and Ireland, we spend most of our time on the gap that survey exposes: the use cases are proven, but the governance questions decide whether a project ships. This guide covers both.
Key facts
Who this is for, and who it isn't
This guide is for decision-makers at UK and Ireland financial services firms of roughly 50 to 500 people: wealth and advice businesses, insurers and brokers, lenders, payments and fintech firms planning their first serious AI deployment. If you are a systemic bank with a forty-person model risk team, your PRA supervisor already covers most of this ground. And if you want a quick chatbot with no governance questions asked, we are honestly the wrong partner.
Where is AI in financial services actually being used?
Not where the headlines suggest. The survey data shows AI concentrated in the middle and back office: document processing, compliance monitoring, customer operations and fraud detection. 55% of reported use cases involve some degree of automated decision-making, but only 2% are fully autonomous (Bank of England / FCA survey, Nov 2024). Firms keep people on the decisions and use AI to do the reading, sorting and drafting around them.
Here is where we see AI earning its keep by function, and where the human has to stay.
| Function | Where AI helps today | Keep a human on |
|---|---|---|
| Onboarding and KYC | Document capture and extraction, screening-alert triage, file assembly | The approve or reject decision |
| Compliance | File reviews against checklists, comms monitoring, horizon scanning summaries | Judgement calls, remediation, sign-off |
| Customer operations | Drafting responses, summarising case histories, routing and triage | Complaints decisions, vulnerable customers |
| Finance and back office | Reconciliations, variance commentary, invoice and document processing | Controls and final sign-off |
| Credit and underwriting | Gathering data, summarising documents, consistency checks across files | The lending or pricing decision |

The pattern is assistive AI: the system prepares the work, a person owns the outcome. That is not a limitation to apologise for. It is what makes deployments explainable to a supervisor, and it is why document-heavy operations are usually the right starting point. We have written separately about how AI document processing works in finance and legal operations.
What does the FCA expect from firms using AI?
The FCA's approach is often summarised as "same activity, same risk, same rule". There is no AI permission to apply for and no AI chapter in the Handbook. Instead, the regulator expects firms to apply the rules that already exist to whatever technology they use (FCA: AI in financial services).
That does not mean the regulator is passive. The FCA now runs AI Live Testing inside its AI Lab, where firms work directly with regulatory and technical teams to deploy AI systems in live markets; a second cohort was announced in 2026 covering use cases from AML protection to KYC (FCA press release). And Parliament is pushing for more: the Treasury Committee's January 2026 report asked the FCA to publish practical guidance by the end of 2026, recommended AI-specific stress testing, and called for major AI and cloud providers to be designated as critical third parties (Treasury Committee, Jan 2026).
In practice, four existing frameworks do most of the work when you assess an AI project:
| Framework | What it means for your AI project |
|---|---|
| Consumer Duty | Evidence good customer outcomes. If AI shapes a decision or a communication a retail customer sees, you must be able to show it did not cause foreseeable harm |
| SM&CR | A named senior manager owns the system and answers for its failures. "The vendor got it wrong" is not a defence |
| Operational resilience | If AI sits inside an important business service, it needs impact tolerances, tested fallbacks and an exit plan for the vendor |
| UK GDPR | Lawful basis for processing, data minimisation, and care with automated decisions that significantly affect individuals |

Who is accountable when AI gets it wrong?
Under SM&CR, a person, not a committee. The honest test we suggest before any deployment: name the senior manager who would stand in front of the FCA if this system mis-sold, mis-scored or leaked. If nobody wants the name on it, the governance is not ready, whatever the technology looks like.
The Treasury Committee made the same point in stronger language, asking the FCA to spell out the level of assurance senior managers must have over AI-driven harm (Treasury Committee, Jan 2026). Until that guidance lands, the practical minimum we implement with clients is: a named owner for each AI system, a decision log covering what the system may and may not do, a monitoring routine with thresholds that trigger escalation, and board-level reporting at a sensible cadence.
How should a mid-market firm handle model risk without a model risk team?
Borrow from the banks, at your scale. The PRA's model risk principles (SS1/23) formally apply to banks with internal model permissions, but the five principles behind them translate directly: know what models you run, rank them by materiality, validate before deployment, monitor in production, and document the lot.
For a 50-to-500-person firm that means a model register (a spreadsheet is fine), a pre-deployment test pack with your own cases, a human review of a sample of outputs each month, and a note of every material change. It is a week of work to set up, and it is the difference between a defensible deployment and hoping nobody asks.
Here is what that looks like in practice. In a discovery engagement with a UK financial-advice business, we scoped an AI-assisted compliance file review: the system checks each client file against the firm's own compliance checklist, flags gaps and inconsistencies, and routes every flag to a human reviewer with a link back to the source document. Nothing is decided by the model; everything is traceable. The full design is in our compliance file review case study, published honestly as a proposal-stage engagement rather than a live deployment.
Where should you not use AI yet?
1. Fully automated consumer decisions. Credit, claims and suitability decisions made without meaningful human review sit at the sharp end of both the Consumer Duty and UK GDPR. Only 2% of surveyed use cases are fully autonomous for good reason.
2. Unbounded customer-facing advice. A model that improvises answers about products and suitability is an unregulated-advice incident waiting to happen. Constrain what it may say, and route the rest to people.
3. Public tools with client data. Consumer AI accounts can retain prompts. Client and customer data belongs only in systems covered by a contract that excludes training use.
4. Anything you cannot explain. If you cannot describe to a supervisor what the system does, on what data, with what failure modes, you are not ready to run it. Only 34% of firms claim complete understanding of their own AI; aim to be in that third.
Frequently asked questions
Do we need FCA approval to use AI?
No. There is no AI-specific authorisation. Your existing permissions, and the rules that come with them, cover AI the same way they cover any other technology. Firms that want to work with the regulator directly on a live deployment can apply to the FCA's AI Live Testing programme.
Does the FCA ban fully autonomous AI?
No, but the bar is high in practice. The Consumer Duty and UK GDPR's rules on automated decisions make fully autonomous consumer-facing decisions hard to justify, which is why only 2% of use cases in the Bank of England and FCA survey run without a human in the loop.
We buy AI through vendors. Doesn't that shift the risk?
It shifts the work, not the accountability. A third of UK AI use cases are third-party implementations, and the Treasury Committee wants the biggest providers designated as critical third parties. Your firm still owns the outcomes, so due diligence, exit plans and output monitoring are yours to run.
What should a mid-market firm automate first?
Document-heavy, rules-checkable operations: onboarding packs, compliance file reviews, reconciliations, reporting commentary. They have clear ground truth, so you can measure accuracy honestly. Our piece on AI for accountants shows the same logic applied to practice work.
Do SS1/23 model risk rules apply to us if we are not a bank?
Formally they apply to banks with internal model permissions. Treat them as the direction of travel: a proportionate model register, validation and monitoring routine is cheap insurance, and it answers most questions a supervisor or a professional indemnity insurer will ask.
How long does a first deployment take?
Our engagements run to production in 90 days at a fixed price, with a money-back guarantee if the proof of concept fails (our data). Discovery, where we map the process and the governance requirements, typically comes first; timelines depend on data access and the number of systems involved.
SoftBlues is a registered Anthropic Partner Network member and a registered Google Cloud and Microsoft partner, working with regulated mid-market firms across the UK and Ireland. We run six of our own departments on Claude, so we govern the same technology we deploy. If you are weighing an AI project against FCA expectations, or comparing partners using our guide to choosing an AI consulting firm, the quickest next step is a conversation about your specific use case. Book a discovery call.


