AI Governance for Financial Services: FCA & PRA 2026

AI is already embedded in financial services operations — credit decisioning, fraud detection, customer communication, investment research, operational risk monitoring. The governance question is not whether to govern AI but whether the governance structures that firms have in place are adequate to satisfy regulatory expectations and withstand supervisory scrutiny.

The UK regulatory position is deliberately principles-based. Neither the FCA nor the PRA has published a single comprehensive AI governance standard. Instead, AI obligations are distributed across existing frameworks: model risk management, consumer protection, market conduct, and operational resilience. This creates a challenge for compliance functions — the obligations are real but require active interpretation rather than checkbox compliance against a single document.

The EU AI Act, the first binding legislative framework for artificial intelligence globally, also has implications for UK financial services firms with EU operations, EU clients, or AI systems deployed in EU contexts. UK-based firms are not subject to the EU AI Act solely by virtue of their UK location, but firms with EU market exposure need to conduct a scope assessment and cannot assume UK-only regulatory perimeter.

The PRA's supervisory statement SS1/23, Model risk management principles for banks, published in May 2023, is the most directly applicable existing regulatory document for firms managing AI model risk. Although published before AI-specific regulation was in force, SS1/23 applies to any model — including AI and machine learning models — used in material risk management and financial decisioning.

SS1/23 sets out five principles for sound model risk management:

1. Model identification and model risk classification: Firms must maintain a model inventory and classify models by their potential impact. AI models with material decision impact — credit scoring, fraud classification, market risk models — require formal classification. Ad hoc or unregistered AI use is a direct control gap.
2. Governance and oversight: Firms must have clear accountability for model risk, including board-level ownership. AI models must sit within this governance structure, not outside it.
3. Model development and implementation: Development processes must be documented, with clear specification of model purpose, data inputs, methodology, validation criteria and limitations.
4. Independent model validation: Material models must be validated by a function independent of model development. For AI and machine learning models, validation must include assessment of model behaviour under stressed conditions and examination of potential for biased outputs.
5. Model monitoring: Approved models must be subject to ongoing performance monitoring, with defined triggers for review when performance degrades or operating conditions change. This is particularly significant for ML models, which can exhibit performance drift as data distributions shift.

Firms that have not brought their AI and machine learning models within the SS1/23 model risk framework have a regulatory gap. The supervisory statement is not aspirational guidance — it describes the PRA's expectations of adequately governed firms.

The FCA's approach to AI governance is principles-based and evolving. The FCA has not published a dedicated AI governance framework, but its expectations are substantive and derive from multiple existing sources.

FCA Discussion Paper DP5/22 and the AI Public-Private Forum

The FCA published Discussion Paper DP5/22, Artificial Intelligence and Machine Learning, in October 2022 (jointly with the Bank of England and PRA). This paper set out the regulators' thinking on AI governance priorities and invited industry feedback. The key themes from DP5/22 that remain relevant to 2026 governance programmes include: explainability of AI-driven decisions, non-discrimination and fairness in algorithmic outputs, data quality and representativeness, and human accountability for AI system behaviour.

DP5/22 was a consultation document, not a policy statement. It did not create new binding obligations. However, the priorities it identified have been absorbed into supervisory expectations and enforcement risk. Firms that cannot demonstrate explainability for material AI decisions, or that have not assessed AI systems for discriminatory outcomes, are operating with governance gaps that regulators have explicitly flagged as concerns.

Consumer Duty and AI-Driven Customer Decisions

The Consumer Duty, which the FCA implemented for new products and services from 31 July 2023 and for closed book products from 31 July 2024, creates substantive obligations that apply directly to AI systems used in customer-facing processes.

The Consumer Duty's four outcomes — products and services, price and value, consumer understanding, and consumer support — all have AI governance implications:

1. Products and services: AI systems that filter, recommend, or determine product eligibility must be assessed for whether they produce outcomes aligned with consumers' interests and not just commercial objectives.
2. Price and value: Algorithmic pricing must be assessed for whether it delivers fair value. AI-driven differential pricing requires documented justification.
3. Consumer understanding: Where AI determines what communications consumers receive, or how information is presented to them, firms must be able to demonstrate that the AI system is designed to support genuine consumer understanding — not to exploit cognitive biases or information asymmetries.
4. Consumer support: AI used in customer service, complaint handling, or claims assessment must not create barriers to consumers exercising their rights.

The practical governance implication is that AI systems affecting customer outcomes cannot operate as black boxes. Firms need to be able to explain, at the individual decision level, why an AI system produced a particular outcome for a customer. This requirement for explainability is not just a technical challenge — it is a governance design requirement that must be embedded from the point of system development.

Existing FCA Principles Applicable to AI

Beyond Consumer Duty and DP5/22, several of the FCA's Principles for Businesses (PRIN) apply directly to AI system governance:

1. Principle 6 (Customers' interests): A firm must pay due regard to the interests of its customers and treat them fairly. AI systems that produce systematically unfair outcomes — whether through biased training data, flawed model design, or inadequate monitoring — breach this principle.
2. Principle 7 (Communications with clients): A firm must pay due regard to the information needs of its clients. AI-generated communications must meet this standard.
3. Principle 9 (Customers: relationships of trust): Where AI systems influence recommendations or decisions in contexts of trust, human accountability must be maintained.
4. Principle 11 (Relations with regulators): Firms must deal with their regulators in an open and cooperative way. Where AI system failures cause customer harm, firms must have audit trails sufficient to investigate and report accurately to the FCA.

A governance programme that satisfies FCA and PRA scrutiny in 2026 needs to address five domains. These are not aspirational — they reflect the minimum expected of a regulated firm with material AI deployment.

1. AI Inventory and Risk Classification

Firms must know what AI systems they operate and what decisions or processes those systems influence. An AI inventory — analogous to the model inventory required under SS1/23 — should cover: the system's purpose and scope, the data it uses, the decisions it influences (directly or as a recommendation), the affected customer or business populations, and the classification of risk.

Classification should align with SS1/23 principles for model risk: systems that influence material financial decisions or customer outcomes require higher governance intensity than systems used in internal process automation with limited external impact.

2. Accountability and Oversight Structures

Every material AI system must have a named owner accountable for its governance. The Senior Managers and Certification Regime (SM&CR) creates individual accountability for senior managers — firms should ensure that AI governance responsibilities are explicitly allocated under SM&CR and that the relevant Senior Manager understands their accountability. Board-level AI governance oversight is expected for firms with material AI exposure, not optional.

3. Model Validation and Explainability

Material AI models — particularly those used in credit, fraud, pricing, and customer segmentation — require independent validation as described in SS1/23. Validation must cover model performance, potential for discriminatory outputs, robustness under distributional shift, and limitations. Explainability requirements for customer-facing AI are non-negotiable under Consumer Duty: firms must be able to articulate, in terms accessible to a customer, why a decision was reached.

4. Fairness and Non-Discrimination Assessment

AI systems used in customer-facing decisions must be assessed for potential discriminatory outcomes across protected characteristics under the Equality Act 2010. This is not a theoretical requirement — the FCA has been explicit that algorithmic bias constitutes a consumer protection risk. Firms need documented methodologies for assessing AI systems for discriminatory outcomes and processes for remediation when bias is detected.

5. Ongoing Monitoring and Incident Reporting

Approved AI models must be monitored continuously. Performance metrics, data distribution monitoring, and fairness indicators need to be tracked against defined thresholds with clear escalation procedures when thresholds are breached. Where an AI system causes or contributes to customer detriment, firms must have audit trails sufficient to investigate root cause and report accurately — both to internal governance structures and to the FCA.

For firms subject to the Digital Operational Resilience Act (DORA) — the EU Digital Operational Resilience Act, which entered into force on 17 January 2025 — AI systems classified as part of critical ICT infrastructure have additional monitoring and incident reporting obligations, including notification requirements under DORA Article 19.

Adoption of formal AI governance programmes across financial services is uneven. Tier-one banks and insurers with established model risk management functions have a structural advantage: extending SS1/23 processes to cover AI and machine learning is operationally straightforward compared to building AI governance from scratch.

Mid-tier firms face a more significant challenge. Many have deployed AI tools — particularly in customer service, document processing, and compliance monitoring — without integrating those tools into formal model risk or AI governance frameworks. The gap between deployment and governance is the area of highest regulatory risk in 2026.

A consistent pattern in more mature firms is the creation of a dedicated AI governance function or committee, separate from but aligned with model risk. This structure allows AI-specific considerations — including ethical impact, explainability, and broader societal risk — to be assessed alongside the quantitative model risk metrics that existing model risk frameworks prioritise.

Both the FCA and PRA have signalled that AI governance will be a sustained supervisory priority. The direction of travel is toward greater specificity — moving from principles-based expectations to more prescriptive requirements as regulator understanding of AI risks matures.

The Basel Committee on Banking Supervision has published principles for the sound management of operational risk and is actively considering AI-specific extensions. The European Banking Authority (EBA) has issued guidance on internal governance that touches on algorithmic decision-making. Firms with international operations need to monitor not just UK regulatory developments but the trajectory of Basel Committee, EBA, and EIOPA guidance, which influences UK supervisory expectations even post-Brexit.

The UK government's AI Opportunities Action Plan, published in January 2025, signals a government intent to support AI adoption across the economy — including financial services. This creates a policy environment in which regulators are under some pressure to avoid frameworks that are so burdensome they impede adoption. The likely outcome is targeted, risk-based requirements rather than comprehensive ex-ante regulation on the EU AI Act model.