How FOS reforms will affect financial services firms
AI, from adoption to accountabilityArtificial intelligence (AI) has moved quickly from
08/05/26
Read more
AI in financial services: control, evidence and regulation
AI, from adoption to accountability
Artificial intelligence (AI) has moved quickly from the margins of financial services into everyday operations. What began as contained pilots or narrow efficiency plays is now shaping how firms detect fraud, onboard customers, assess creditworthiness and interact with clients. In many cases, AI is operating at speed and scale, embedded into processes that matter.
What is striking is how little of this momentum has been driven by regulation. The early push came from commercial opportunity – faster decisions, lower costs, richer insight. Once those benefits were visible, most firms were unwilling (or unable) to pause, even as questions around risk, data quality and oversight started to surface.
Policy and supervision are now catching up. The UK Government’s AI Opportunities Action Plan signals continued support for innovation, while regulators are becoming more explicit about how AI is expected to operate in practice within financial services. The FCA, for example, has set out in its 2026–27 annual work programme its ambition to become a more data-led regulator, including the use of AI to support supervision, analyse firm submissions and identify harm more effectively.
Regulatory expectations are shifting: innovation now sits alongside much higher expectations of evidencing control.
Moving ahead without waiting for perfect clarity
Across the sector, AI adoption is now widespread. The Treasury Select Committee’s recent inquiry underlines just how embedded these technologies have become, particularly among larger institutions.
What varies far more than adoption is governance maturity. Many firms are still relying on control frameworks designed for traditional, rules-based systems, where decision paths could be traced and challenged with relative ease. As AI models become more complex – and decisions more automated – applying those same approaches becomes increasingly difficult.
This does not mean existing regulatory frameworks are obsolete. Consumer Duty, SM&CR and operational resilience expectations continue to apply. But the emphasis is shifting. The challenge is no longer whether those regimes are relevant, but how firms practically evidence compliance when decision-making is less visible and outcomes are shaped by systems that evolve over time.
That raises an important question: how are regulators responding to this reality?
A more engaged – and more demanding – supervisory stance
Regulators are not starting from a blank page. The FCA’s engagement on AI has been deliberate and iterative, with initiatives such as the Mills Review examining whether existing regimes remain fit for purpose as AI becomes more deeply embedded, rather than proposing wholesale new rules.
Supervisory tools are also evolving. Greater use of testing environments, deeper dialogue with firms and a growing focus on systemic technology risk – reflected in regimes such as Critical Third Parties – all point to more hands-on oversight.
The message is not to slow down innovation. Instead, regulators are sharpening their focus on evidence: how risks are identified and mitigated, how outcomes are monitored, and how accountability is maintained once AI systems are live and scaled.
When theoretical risk becomes operational reality
The most difficult challenges rarely appear at the point of adoption. They emerge later, once AI is embedded into business-critical processes.
At that stage, questions of fairness, oversight and accountability move quickly from policy debate into day-to-day practice. Firms need to demonstrate how outcomes are being monitored when decisions happen in milliseconds, what meaningful oversight looks like when models are complex, and where responsibility sits when multiple teams, suppliers and systems are involved.
It is no longer enough to identify potential risk. Firms must be able to show – consistently and credibly – that those risks are actively managed.
This is where the real gap sits. As firms move beyond experimentation and try to operationalise AI, a more fundamental constraint becomes clear. In most cases, the limiting factor is not AI capability, but the combination of generative AI (GenAI) tools and the quality, consistency and reliability of the underlying data.
Mainstream GenAI and LLM based tools are highly effective at text extraction, summarisation and surface level pattern recognition. They can turn large volumes of content into something more digestible. However, they are not designed to support regulated decision making. They do not inherently understand what financial advice data represents, how values relate to one another, or why one data point should be trusted over another.
Critically, these models often struggle to provide the explainability, traceability and auditability that regulators expect. They can silently resolve conflicts, obscure data lineage, and produce outputs that sound confident even when they are incomplete or wrong. As a result, firms frequently end up increasing human oversight rather than reducing it – spending more time validating outputs, resolving inconsistencies and evidencing compliance.
By contrast, purpose-built (predictive) AI models for analytics and prediction are designed around structured, trusted data. They are trained to understand how advice data is created, how it changes over time, and when it must be corrected rather than inferred. This enables predictive analysis, consistent MI, and defensible insights that can be traced back to source and explained to regulators.
The more reliable, explainable and auditable the data foundation becomes, the more safely AI can be applied. In regulated environments, value does not come from applying GenAI and LLM models to unstructured data, but from combining selective GenAI capabilities with predictive AI operating on trusted, regulator-ready data. That is what allows automation to scale – and risk to come down.
From enthusiasm to accountability
Internally, the tone of AI discussions is changing. Opportunity-led conversations have not disappeared, but they now sit alongside much more practical concerns about governance, control and evidencing.
Risk and compliance teams are more deeply involved, and senior managers are being asked tougher questions about systems they may not have built themselves. In many cases, AI is simply making existing weaknesses harder to ignore – unclear data ownership, inconsistent documentation or fragile oversight models become far more difficult to justify once decisions are made at speed and scale.
AI regulation and risk: what financial services leaders need to prove
Regulatory expectations around AI continue to evolve, informed by what supervisors are seeing in practice. That leaves a window for firms to act.
Those investing now in stronger data foundations, clearer governance and defensible evidencing mechanisms are likely to be better placed as scrutiny increases. In practice, this matters far more than trying to predict the precise shape of future rules.
As Joe Norburn, CEO of TCC Group and Recordsure, has highlighted, AI in financial services is no longer about whether it can deliver value. The real question is whether firms can prove – to themselves, to boards and to regulators – that it is being used safely, transparently and at scale.
Supporting firms with governance, evidencing and operational oversight
As regulatory expectations sharpen, firms are focused less on whether to use AI and more on how to embed it safely into day‑to‑day operations. TCC supports this through a combination of advisory services, interim leadership and managed services. Our advisory teams help boards and senior managers interpret regulatory expectations and design proportionate AI governance. Interim leaders provide hands‑on capability to embed compliance, controls and accountability into operational teams during periods of change. Managed services then support business‑as‑usual delivery, providing human‑in‑the‑loop oversight where judgement, challenge and evidencing remain critical.
This is complemented by Recordsure’s AI‑driven analytics, designed specifically for regulated environments. By operating on trusted, structured data and using predictive AI models to analyse data, Recordsure enables explainable insights, consistent MI and auditable evidence that supports both regulatory engagement and internal assurance.
If you are exploring how to strengthen AI governance, evidencing or oversight within your firm, speak to TCC about how our advisory, managed services and Recordsure AI capability can help.