FCA AI Paper: What It Requires and Who It Applies To

What is FCA AI Paper?

The FCA Discussion Paper on Artificial Intelligence (DP5/22) is a regulatory consultation published by the UK Financial Conduct Authority in October 2022. It doesn't create new standalone rules. Its central argument is that existing FCA obligations already cover AI: the Senior Managers and Certification Regime (SMCR), Consumer Duty, SYSC systems and controls requirements, and the FCA's Principles for Businesses all apply to AI and machine learning systems deployed by regulated firms.

The FCA ran a Call for Input on AI and machine learning in 2021. That process attracted over 70 responses from firms and trade associations and confirmed what supervisors suspected: AI adoption was growing fast across retail banking, wholesale markets, and insurance, but governance discipline wasn't keeping pace. Banks were building credit models, fraud detection systems, and automated customer service tools without the rigour they'd apply to any other material business system.

DP5/22 identified five cross-cutting themes as the lens for AI governance: safety and performance, explainability, fairness, accountability, and data integrity. The paper sought industry views on whether existing obligations were sufficient or whether AI-specific guidance was needed.

The FCA published its Feedback Statement FS23/5 in November 2023, summarising industry responses and confirming that sector-specific guidance, rather than new prescriptive legislation, would be the near-term approach. The UK government has adopted a broadly pro-innovation stance toward AI regulation, deliberately distinct from the more prescriptive EU AI Act.

The paper is best read alongside the PRA's Supervisory Statement SS1/23 on Model Risk Management (published May 2023), which sets more prescriptive requirements for model validation, documentation, and lifecycle governance at UK-chartered banks. Together, DP5/22 and SS1/23 define the current UK AI governance framework for financial services.

Who does FCA AI Paper apply to?

DP5/22 applies to all firms regulated by the FCA that deploy AI or machine learning in any material part of their operations. There's no size threshold. The FCA's position is clear: regulated status, not firm size, determines scope. A fintech with 30 employees using an AI underwriting model has the same governance obligations as a major bank.

In practice, supervisory focus has concentrated on:

• Retail banks and building societies using AI for credit scoring, affordability assessments, fraud detection, and customer service automation
• Investment banks and brokers running algorithmic trading, automated market surveillance, and AI-driven risk models
• Insurance firms applying AI to pricing, claims assessment, and underwriting decisions
• Consumer credit firms relying on automated creditworthiness tools and affordability checks
• Wealth management and robo-advisory platforms where AI drives investment recommendations
• Payment service providers using AI-based fraud scoring and real-time transaction monitoring
• Crypto-asset firms within the FCA's expanding regulatory perimeter

Firms headquartered outside the UK but regulated by the FCA for UK-facing activities are in scope. Crucially, deploying a third-party AI model doesn't shift regulatory accountability. If you deploy the model, your firm owns the compliance obligation. The FCA has been explicit about this in both the paper and subsequent supervisory communications.

The SMCR dimension matters here. Any firm using AI in a material business process needs a named Senior Manager personally accountable for governance of those systems. The Consumer Duty (effective July 2023) extended this further, requiring firms to demonstrate that AI-driven customer decisions produce good outcomes across all customer segments, not just aggregate performance metrics.

What does FCA AI Paper require?

DP5/22 doesn't publish a standalone compliance checklist, but combining the paper's five themes with the underlying FCA rules produces a concrete set of obligations:

1. Designate a Senior Manager for AI accountability. Under SMCR, a named senior function holder must be personally accountable for AI governance. This person must be able to explain the firm's AI use, its controls, its testing approach, and any failures, to the FCA on demand.

2. Build explainability into systems affecting customers. AI used in decisions with customer impact must be explainable at the individual decision level, both to the customer and to the regulator. For credit decisions, this connects directly to Consumer Duty's requirement for clear adverse decision rationale. The EU AI Act Article 6 sets a parallel obligation for high-risk AI in the EU, covering credit scoring as a defined high-risk category.

3. Test for bias and discriminatory outcomes. Firms must test AI outputs against protected characteristics as defined by the Equality Act 2010. That means training data bias audits, outcome disparity analysis across demographic groups, and re-testing after any material model update. Using historical data that encodes historical discrimination isn't a technical limitation; it's a compliance failure.

4. Document and govern training data. Training datasets need documented provenance, known quality gaps, cleansing methodology, and version control. The FCA expects data governance discipline equivalent to what firms apply to regulated reporting systems.

5. Validate models independently before deployment and at regular intervals. The US Federal Reserve's SR 11-7 model risk management guidance is widely referenced in UK validation frameworks even though it's a US instrument. The UK's PRA SS1/23 is the domestic equivalent for banks.

6. Consumer Duty obligations for automated processes. Automated systems affecting retail customers must demonstrably produce good outcomes. AI that causes foreseeable harm, whether a biased credit model or a misleading chatbot, is a Consumer Duty violation regardless of intent.

7. Apply full governance to third-party AI. Vendor AI models face the same requirements as internally built systems. Firms must obtain and assess the vendor's model validation documentation, data handling practices, and explainability capabilities before deployment.

8. Define AI incident response processes. Firms need clear procedures for detecting, escalating, and remediating AI system failures, including model drift, unexpected output distributions, and bias emergence in production.

What evidence do regulators expect?

The FCA's supervisory teams and Section 166 skilled person reviewers don't accept verbal assurances. On an AI governance review, examiners will ask for documented evidence across each of these areas:

• AI system inventory: A complete register of all AI and ML models in production, including vendor-supplied tools. Each entry needs: business function, risk classification, deployment date, last validation date, and named senior manager owner.
• Model governance policy: Board-approved policy covering the full model lifecycle, from development through retirement, with version history showing when and why changes were made.
• Validation reports: Independent validation reports for each material model, including out-of-time test results, performance metrics across different data subsets, and documented sign-off by an independent reviewer.
• Bias and fairness audit results: Documented disparity testing across demographic groups, with evidence of what remediation was applied where gaps were identified.
• Training data documentation: Data lineage records, quality assessments, and records of any manual adjustments or weightings applied to training datasets.
• Explainability demonstrations: A working capability to generate an individual-level explanation for any AI-driven customer decision, tested against real cases rather than hypothetical examples.
• Consumer outcome monitoring: Regular evidence that AI-driven decisions produce fair outcomes across customer segments, not just aggregate accuracy metrics.
• Third-party AI due diligence files: Vendor contracts, SLAs, model documentation received from the vendor, and the firm's own assessment of vendor governance quality.

The FCA's FS23/5 feedback statement flagged two recurring gaps. Firms frequently couldn't produce consistent model inventories. Explainability documentation was theoretical rather than tested against real cases. These two gaps are the most common triggers for deeper supervisory scrutiny, including Section 166 reviews.

Common failure modes

The FCA's FS23/5 and subsequent multi-firm AI reviews have identified consistent patterns across supervised firms:

• No named senior manager for AI: Firms had AI governance committees but no individual personally accountable when the FCA asked who owned a specific AI failure. Governance committees don't satisfy SMCR's personal accountability requirement.
• Training data bias inherited from history: Credit models trained on historical lending data reproduced historical discrimination. "The model performed as designed" is not a defence if the design embedded unfair outcomes. Black-box models are an acute risk here: when firms can't audit what the model has learned, they can't identify or correct discriminatory patterns.
• Vendor model opacity: Firms deployed vendor AI tools, including large language model applications, without obtaining adequate model documentation. "Our vendor is responsible" has consistently been rejected as sufficient justification.
• Model drift without detection: Production models degraded over time due to data distribution shifts, and no monitoring system caught it. This is common in fraud detection, where criminal tactics evolve faster than retraining cycles.
• Explainability gap at the customer interface: Firms built system-level explainability but couldn't generate a per-customer explanation in response to a complaint or a Data Subject Access Request.
• Consumer Duty misalignment: Automated customer journeys, including chatbots and robo-advice flows, were deployed without assessing them against Consumer Duty's good outcomes standard.

The FCA's enforcement history makes clear that SYSC obligations for inadequate system controls predate the AI paper and are actively enforced. The FCA's Final Notices database, accessible at fca.org.uk/news/final-notices, contains several cases involving algorithmic and automated system failures at major firms.

Penalties for non-compliance

The FCA has no AI-specific penalty regime. Enforcement happens under the existing rule breaches that AI failures expose. The applicable frameworks are:

SYSC (Systems and Controls): Financial penalties are unlimited in theory, calibrated to the FCA's penalty methodology. The standard approach applies a percentage of relevant revenue, with aggravating factors for deliberate or reckless misconduct and senior management awareness. Fines for material systems and controls failures at significant firms typically fall between £5 million and £50 million.

Consumer Duty: The FCA can require full customer remediation. A biased credit model affecting 100,000 customers creates a remediation exposure that dwarfs any headline fine. The FCA has been explicit that automated processes don't limit a firm's remediation obligations to affected customers.

SMCR personal liability: Named Senior Managers face personal financial penalties and potential prohibition from working in regulated financial services. The FCA's historical range for personal fines runs from £20,000 to over £1 million in cases involving senior management culpability.

Section 166 Skilled Person reviews: The FCA can require firms to appoint an external reviewer at the firm's own expense. These reviews typically cost between £500,000 and £2 million in external fees, with significant internal resource absorption over months.

Permission restrictions: For persistent or serious failures, the FCA can suspend or withdraw regulatory permissions, effectively halting operations in affected business lines.

Benchmark: The FCA fined Goldman Sachs International £34.4 million in October 2022 for MiFID II transaction reporting failures that included data quality failures in automated reporting systems. The full case is available via the FCA's Final Notices search.

Related regulations and frameworks

The FCA AI Paper doesn't operate in isolation. Several overlapping instruments set parallel or complementary obligations:

PRA Supervisory Statement SS1/23 (Model Risk Management Principles for Banks, May 2023): The most directly binding instrument for UK-chartered banks. SS1/23 sets out seven principles covering model identification, governance, development, independent validation, deployment, change management, and decommissioning. The full text is available from the Bank of England. Banks should treat SS1/23 and DP5/22 as a paired framework, not alternatives.

UK MLR 2017: AI systems used in AML transaction monitoring and customer due diligence must satisfy the Money Laundering Regulations 2017's adequacy requirements. The MLRs don't prescribe technology, but supervisors assess whether AI-powered controls are genuinely effective at detecting financial crime.

EU AI Act: UK firms with EU-regulated operations face binding requirements for high-risk AI systems, which explicitly covers credit scoring and insurance pricing as high-risk categories. The UK's approach tracks similar themes through existing regulatory frameworks rather than dedicated AI legislation.

DORA: For UK firms with EU-regulated operations, the Digital Operational Resilience Act imposes ICT risk management requirements on AI systems, including documented testing, incident reporting, and third-party oversight.

UK GDPR, Article 22: Automated decisions with legal or similarly significant effects on individuals trigger rights to human review and explanation. This directly intersects with AI-driven credit decisioning, insurance underwriting, and fraud screening systems.

FATF Recommendation 15 sets the global baseline for AI used in financial crime controls, calling on countries to ensure regulated entities can identify and assess ML/TF risks from new technologies. UK firms should read DP5/22's AI governance expectations through that lens when applying them to transaction monitoring and sanctions screening.

How FluxForce supports FCA AI Paper compliance

FluxForce's AI agents generate full audit trails and decision explanations for every compliance action, directly addressing the FCA's explainability expectations. Nova Sentinel provides continuous model performance monitoring to detect drift before it affects customer outcomes. Aiden Flux documents transaction rationale at the individual decision level, producing the per-customer evidence regulators expect during supervisory reviews. All agent activity is logged with tamper-proof timestamps, satisfying the FCA's record-keeping requirements. Book a demo to see how FluxForce maps to your AI governance obligations.