
FCA publishes landmark Mills Review into AI and retail financial services: what firms need to know
TLT picks out they key points you shouldn't miss...
What's this about?
The FCA has published a major review into how AI could reshape retail financial services for consumers, firms, markets and regulators by 2030 and beyond. Led by FCA Executive Director Sheldon Mills and commissioned by the FCA Board, the Mills Review (the “Review”) is the first work of its kind initiated by a regulator globally. The Review identifies four major AI-driven shifts likely to impact retail financial services: the transformation of firms; the evolution of consumer journeys into agent-led ones; the reshaping of market power and competition; and the amplification of threats and defences. It concludes that AI is likely to become a defining force in retail financial services, transforming how firms operate, how consumers make financial decisions, and how markets function. For retail financial services firms, the review is not a distant regulatory signal, it is a prompt to act on governance, accountability, fraud defence and inclusive design.
Tamara Raoufi, Legal Director in TLT's Financial Services Regulation team, says...
“What the Mills Review makes clear is that AI governance cannot be treated as a separate workstream from regulatory compliance. As AI moves from a tool that assists humans to a system that acts on their behalf, the traditional compliance question 'who is responsible?' becomes harder to answer and more important to get right. For regulated firms, the priority is not to slow down AI adoption, but to ensure that accountability, auditability and consumer protection are built in from the start, not retrofitted later. The FCA's good and poor practice publication later this year will set clearer benchmarks - firms that have not already started will likely find themselves behind the curve."
The points not to miss...
By 2030, AI will take on a greater share of the work in financial services. The Review sets out an "autonomy spectrum" along which humans progressively move from performing tasks themselves towards setting boundaries, granting permissions and overseeing outcomes produced by AI agents. The spectrum runs through five roles, in summary:
- operator (AI as tool);
- collaborator (human and AI plan and act together);
- consultant (AI compares options and recommends, human gives guidance);
- approver (AI prepares, human authorises); and
- observer (AI acts continuously within agreed limits, human monitors).
The further a system sits along the spectrum, the more the human role shifts from carrying out individual tasks to setting the conditions within which AI systems operate, and accountability becomes harder to trace, especially where models change over time and firms depend more heavily on model providers and external AI agents. This framework is the lens through which the Review assesses both regulatory adequacy and firm-level risk, and as such is worth becoming familiar with.
By 2030, many firms could have moved significantly further along the autonomy spectrum, embedding AI into almost every function from customer support and underwriting to compliance, claims and product design. For leading firms, AI may become the primary method by which they process information, serve customers and evidence outcomes. AI places pressure on governance frameworks because models update continuously rather than on fixed release cycles, they draw on third-party inputs that a regulated firm did not create or build, and they are probabilistic in nature, meaning that managing AI requires extending governance or model risk management frameworks beyond validation at the point of deployment towards live monitoring, tracking drift, model degradation and outliers. Firms that can demonstrate auditability, explainability where needed, robust testing, clear permissions, effective monitoring and escalation will be able to deploy AI more confidently, and acquiring a reputation for trusted AI processes could itself win business.
Demand for automated financial decisions is already emerging: 1 in 5 consumers are open to AI making decisions for them, suggesting the shift to agent-led journeys is a credible near-term development. However, multiple concerns are currently holding back wider adoption:
- 68% of consumers expressed concern about data misuse;
- 67% about lack of protection;
- 65% about the concentration of power among a small number of large organisations; and
- 45% saw no benefit of AI in financial services at all.
The Review notes that those saying there was no benefit were generally older and on lower incomes, meaning access to “good AI” may become a new divide: if the best services are paid for, difficult to use or poorly designed, some consumers who could benefit most may be least able to access them. Firms must design inclusively and cannot assume an AI-first, one-size-fits-all approach will satisfy their Consumer Duty obligations.
Control of and access to AI-mediated consumer interfaces will become a major source of market power and will reshape competitive dynamics. AI may shift the nature of intermediation towards integrating with agents, platforms and data-access layers, while firm-level AI capability will become a core competitive advantage. AI may lower barriers to entry for newer and smaller firms, whilst scale advantages in data, trust and vendor access may favour incumbents. This creates competitive tension between regulated firms and out-of-perimeter AI platforms. A general-purpose AI service may shape consumer understanding, narrow options or recommend courses of action without being part of the traditional financial services relationship, creating an uneven playing field if regulated firms face obligations around communications, advice, promotions and consumer outcomes whilst AI platforms exert similar influence through a different route. Firms need to consider actively how their products and services are presented to, and selected by, AI systems acting on behalf of consumers.
AI will amplify fraud and cyber risks by 2030: they will become faster, cheaper, more scalable and more persuasive. The main pressure is speed and scale, faster exploitation of existing weaknesses, whether in customer-facing processes or cyber controls, and risks will cut across the system, spanning firms, platforms, telecoms, payment rails, identity systems, AI or technology providers and multiple jurisdictions. AI is lowering the barriers to fraud: techniques such as cloned voices, synthetic identities and highly realistic fake content are making scams easier to produce, cheaper to scale and harder to spot, enabling a much wider pool of criminals to carry out convincing fraud, especially when combined with compromised personal data across onboarding, payments, telecoms and digital platforms. Firms should be able to show that AI-enabled controls improve detection, triage or disruption, remain effective as threats evolve, and retain meaningful human control where decisions affect fairness, accountability or customer harm.
The overall regulatory framework remains sound. Its principles and outcomes-based approach, including the Consumer Duty, the Senior Managers Regime (SMR), operational resilience and other key features, was designed to flex across changing business models. However, the Review finds that whilst the SMR would be robust to the challenges of AI operating in Operator, Collaborator and Consultant modes, the increasing opacity inherent in more delegated and autonomous AI operation at the Approver or Observer stage, coupled with factors such as model drift, could create an emerging pressure point in accountability: a potential gap between the outcomes of AI-mediated decisions and the ability of the regulator to identify a de facto responsible party. Stakeholders highlighted that firms need clearer interpretation of how to evidence outcomes in dynamic journeys and how to ensure consent remains meaningful where systems act continuously, particularly at higher levels of autonomy.
The Review sets out seven priority recommendations designed to work together as a system to adapt the regulatory framework, enable effective supervision and support better consumer outcomes. They are:
- secure and adapt the regulatory perimeter;
- strengthen system-wide coordination and oversight;
- monitor the transition to autonomous models and adapt regulatory frameworks;
- scale up the FCA's AI Lab to support AI model and system innovation;
- enable the foundations for agentic finance;
- build and adopt an AI-enabled agentic supervisory model; and
- develop a trusted public-interest AI-enabled financial capability service.
Running in parallel, the FCA will launch an AI good and poor practice publication later in 2026, drawing on direct engagement with firms to find out what is working well, where firms are facing challenges, and where further clarity would help.
Action points for firms
Regulated firms should consider the following steps now, ahead of the FCA's follow-on supervisory activity:
- Map your AI autonomy footprint. Firms are already piloting and starting to roll out more autonomous AI use cases. By 2030, firms could have moved significantly further along the autonomy spectrum across a range of functions, and there will be challenges as they increase the level of AI autonomy, including around the future role of human oversight. Conduct an internal audit of where your current and planned AI deployments sit on the autonomy spectrum.
- Strengthen AI governance now, not later. As AI becomes more embedded, its governance becomes increasingly important. Models shaping consumer outcomes, including Consumer Duty monitoring, fraud and financial crime, complaints handling and affordability assessments, often sit within governance frameworks that will need to evolve. Extend model risk management beyond point-of-deployment validation to cover live monitoring, drift and degradation.
- Prepare for stricter SMR accountability in automated environments. It will not be enough to say that a person remains "in the loop." Firms will need to be clear about what the person is expected to do, what information they receive, when they can intervene, how challenge is recorded and how escalation works. Document these controls clearly now, particularly for AI-assisted decision-making in credit, complaints and compliance.
- Review third-party AI dependencies as a governance priority. Firms remain responsible for outcomes even where systems rely on external models or infrastructure. Some firms may also allow customer agents or third-party systems to interact directly with their infrastructure, increasing the importance of managing not only internal AI systems, but also the terms on which external systems can access data, initiate actions and trigger firm workflows. Review vendor agreements and supply chain oversight accordingly. Firms should also be aware of the impact on their operational resilience: they should be mapping which AI providers represent critical dependencies, assess the impact of provider failure on important business services, and test whether existing impact tolerances and contingency arrangements hold under AI-specific failure scenarios.
- Engage proactively with the FCA's AI Lab and good practice publication. The FCA's AI Lab runs two programmes: the Supercharged Sandbox (for earlier-stage AI experimentation, run in partnership with NVIDIA) and AI Live Testing (for firms ready to test AI in live conditions under intensified FCA supervision). Application windows for current cohorts have closed, but further cohorts are planned. In the immediate term, prioritise the FCA's AI good and poor practice publication, expected later in 2026: this will set the clearest benchmarks to date on acceptable AI deployment, and firms should assess their arrangements against it when it is released.
- Evolve your fraud and cyber defences at pace with AI threats. Cross-firm, cross-sector and cross-border intelligence sharing will detect patterns earlier and enable a faster response to system-wide threats, supported by frameworks such as the Senior Managers Regime and model risk management. Review your AI-enabled fraud defences and ensure cybersecurity fundamentals are in place and robust.
- Build inclusivity into your AI deployment strategy. Some consumers may not want to use AI, may not trust it, or may need non-digital channels because of disability, low confidence, language barriers or vulnerability. If markets become AI-first by default, those consumers could face reduced choice or worse service unless firms design AI routes inclusively and ensure access via other routes where needed. This is directly relevant to Consumer Duty obligations on consumer support and access.
- Monitor the perimeter review for competitive and compliance implications. The FCA is recommended to conduct a review, within three to six months of the date of this report, into the scale, nature and impact of general-purpose LLMs outside the regulatory perimeter, examining consumer use across savings, investments, pensions, mortgages and debt management, and the implications for competition, innovation, growth and potential regulatory arbitrage. The findings could reshape the advice/guidance boundary and firm's competitive landscape.
For further information on the issues raised in this article, please contact TLT's Financial Services Regulation team.
At a glance...
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at July 2026. Specific advice should be sought for specific cases. For more information see our terms & conditions.
Get in touch
Get in touch
Insights & events

Consumer Duty enforcement is here – 11 investigations and counting

FCA publishes landmark Mills Review into AI and retail financial services: what firms need to know

Consumer Duty: Distribution chains, manufacturer obligations and board reporting – what firms need to know

What the first three OFSI Settlements tell us about UK sanctions enforcement

FCA flags financial crime control gaps across insurance sector in new multi-firm review

Government announces once-in-a-generation overhaul of the home buying and selling system

FCA sets out research agenda that will shape regulation for the next five years

UK anti-money laundering rules overhauled: what financial services firms must do now

FCA consults on targeted mortgage rule reforms to support first-time buyers and underserved consumers

Access to banking services review: what financial institutions need to know before the 20 July deadline

FCA sanctions review: the regulator is becoming more proactive - and firms need controls that work in practice

PRA restates CRR definitions into PRA rulebook: what firms need to know before 1 January 2027

FCA formalises annual retail banking data reporting: what banks and building societies need to do now

The countdown begins: what cryptoasset firms must do now to secure FCA authorisation

UK Regulatory Initiatives Grid – May 2026: what financial services firms need to know now

HMT’s policy statement on Consumer Credit Act 1974 reform: Insights for a future-ready consumer credit regime

%20%E2%80%93%20790px%20X%20451px%2072ppi%20LONDON9.jpg)





%20%C3%94%C3%87%C3%B4%20790px%20X%20451px%2072ppi2.jpg)








