FCA Consumer Duty and AI: a compliance framework for UK firms
FCA Consumer Duty applies to AI systems used in UK financial services in the same way it applies to any other product, service, or operating process: firms must act to deliver good outcomes for retail customers, with consumer vulnerability handled appropriately and outcomes monitored on an ongoing basis. The Duty came into force on 31 July 2023 for new and existing products and services, with the implementation date for closed products extended to 31 July 2024. AI systems used to assess, price, sell, support, or make decisions about retail customers all fall inside the scope. This guide sets out a structured compliance framework: what the Duty requires of AI systems, how Principle 12 and PRIN 2A apply to AI decisioning, what good outcomes look like in an AI context, how to evidence consumer vulnerability handling, and where the FCA Innovation Pathways and Regulatory Sandbox fit for AI firms.
What does FCA Consumer Duty require of AI systems?
FCA Consumer Duty requires firms to act to deliver good outcomes for retail customers across four outcome areas: products and services, price and value, consumer understanding, and consumer support. AI systems used in any of those four areas inherit the obligations directly. There is no AI-specific carve-out and no general principle that AI is exempt because the model is third-party or off-the-shelf. The firm holds the obligation; it can outsource the system but not the responsibility.
The practical implications break into four threads. First, products and services: AI used in product design, eligibility scoring, segmentation, or product recommendation must be tested to ensure the resulting product is fit for the target market and does not cause foreseeable harm. Second, price and value: AI used in pricing, fee setting, or risk-based premium calculation must produce outcomes the firm can defend as fair value, with equality and discrimination risks actively managed. Third, consumer understanding: AI used in disclosures, in-app explanations, or chatbot interactions must communicate clearly enough that the customer can make an informed decision, including in stressed or vulnerable moments. Fourth, consumer support: AI used in onboarding, in-life support, complaints handling, and exits must enable the customer to act and be heard, not act as a barrier between the customer and the firm.
The Duty also requires firms to monitor outcomes and intervene where they fall short. For AI specifically, this means that the model is not "fire and forget"; the firm must have a measurement plan, a monitoring frequency, a tolerance for drift, and a documented intervention path when the data shows that outcomes are deteriorating. Outcomes monitoring on AI systems should sit inside the firm's wider Consumer Duty management information rather than as a separate engineering KPI.
The FCA has been explicit that existing principles, rules, and standards apply to AI rather than waiting for an AI-specific rulebook. A joint discussion paper from the FCA, the Bank of England, and the Prudential Regulation Authority on AI in financial services (DP 5/22, published 2022) and subsequent FCA AI updates have reinforced this position. The expectation in 2026 is that boards understand which AI systems touch Consumer Duty workflows, who owns each system, and how outcomes are monitored. For the broader compliance picture, see our 2026 UK AI compliance checklist and the financial services industry page.
How does Principle 12 / PRIN 2A apply to AI decisioning?
Principle 12 of the FCA Principles for Businesses requires firms to act to deliver good outcomes for retail customers, and the supporting rules in PRIN 2A of the FCA Handbook expand that into specific cross-cutting and outcome rules. For AI decisioning systems, the cross-cutting rules in PRIN 2A.2 (act in good faith, avoid foreseeable harm, enable and support customers to pursue their financial objectives) translate into concrete design requirements that should sit inside the firm's model risk management framework.
Three categories of AI decisioning attract particularly close scrutiny under Principle 12 and PRIN 2A in 2026. The first is credit decisioning: AI used in affordability assessment, credit risk scoring, or limit-setting decisions. The second is insurance pricing and claims: AI used in risk-based premium calculation, fraud screening, or claims triage. The third is product recommendation and suitability: AI used in robo-advice, in-app product nudges, or any sequence of automated steps that influence what a retail customer buys.
Across all three, four design principles fall directly out of the cross-cutting rules. First, explainability sufficient for the firm to defend the decision to the customer, the FCA, and the Financial Ombudsman Service if challenged. Pure black-box models without an explanation layer are increasingly difficult to defend in regulated workflows. Second, demonstrable absence of unfair discrimination, with the firm's fairness testing methodology documented and the test results retained. Third, a defined human-in-the-loop point at which a person can review, challenge, or override the AI decision, especially for adverse outcomes (declined applications, increased premiums, denied claims). Fourth, a record-keeping standard sufficient to reconstruct the decision after the fact, including the model version, the input data, the output, and the human review trail.
The Senior Managers and Certification Regime (SMCR) sits behind all of this. The Senior Manager responsible for the function in which the AI operates is accountable for the outcomes the AI produces, regardless of who built or operates the model. Boards are increasingly asking which Senior Manager owns each material AI system, and where there is no clear answer the AI is not yet operating to the standard the Duty expects. For implementation support around AI governance design, see our AI implementation service.
What does 'good outcomes' mean in an AI context?
Good outcomes in an AI context means that the AI helps the customer get to a better result, on a measure that is defined in writing before deployment and tracked after deployment, across the four Consumer Duty outcome areas. The opposite is "model accuracy" used as a proxy for customer outcome; an AI model can be highly accurate against its training objective and still produce harm if the training objective is not aligned with the customer's interests.
The Duty's four outcomes give a structure for defining what to measure. The table below summarises how each outcome translates into a practical AI measurement focus.
| Consumer Duty outcome | AI-specific measure | Typical evidence |
|---|---|---|
| Products and services | Suitability of AI-influenced sales for the target market | Sales mix vs target market profile, post-sale suitability sampling |
| Price and value | Fair-value distribution across customer segments, including vulnerable | Fair value assessments per cohort, fairness testing on pricing model outputs |
| Consumer understanding | Customer comprehension of AI-driven communications and disclosures | Comprehension testing, complaints relating to misunderstanding, click-through and read-time data |
| Consumer support | Resolution and escalation quality of AI-driven support journeys | First-contact resolution rates, AI-to-human escalation success, complaints data segmented by AI versus human channel |
Monitoring frequency matters as much as the metric. The FCA expects firms to monitor outcomes regularly enough to spot drift before it produces material harm, and to act on what the data shows. For high-velocity AI systems (real-time pricing, real-time fraud), monitoring should be near-continuous with automated alerts. For lower-velocity systems (eligibility scoring refreshed monthly, for example), monthly or quarterly board-level review is the norm. The wrong answer is annual review of an AI system that is making thousands of customer-affecting decisions per day.
A practical pattern that holds up under FCA scrutiny is to publish (internally) an outcomes scorecard for each material AI system, refreshed at the chosen monitoring frequency, with a defined tolerance for each metric and a documented action when the tolerance is breached. The scorecard sits inside the firm's Consumer Duty management information pack and is visible at the board. When the FCA asks, the firm can produce the scorecard, the underlying data, and the action history without needing to construct it retrospectively.
How do firms evidence consumer vulnerability handling?
Consumer Duty requires firms to identify and respond to consumer vulnerability across all four outcomes, and AI systems must be designed and tested with vulnerability in mind. The FCA's vulnerability guidance (FG 21/1, finalised in 2021) defines four drivers of vulnerability (health, life events, resilience, capability) and is the canonical UK reference for what vulnerability means in financial services. AI systems that ignore vulnerability or actively disadvantage vulnerable customers fail the Duty regardless of how well the model performs on average.
The evidencing standard expected of firms in 2026 includes four elements. First, a documented vulnerability impact assessment for each material AI system: which vulnerable groups are likely to be affected, how, and what mitigations are in place. Second, training data and model fairness testing that explicitly tests for disparate impact on vulnerable segments where data is available, with the methodology and results retained. Third, an explicit human escalation route for any AI interaction in which a vulnerability indicator is detected (a request for a payment holiday, a mention of bereavement, repeated unsuccessful login attempts from a customer flagged as having capability vulnerability), with the escalation evidenced in the audit trail. Fourth, monitoring data broken down by vulnerability indicator where the firm can do so without itself creating a privacy or discrimination risk.
For AI chatbots and voice systems specifically, three controls are now standard practice in UK regulated firms. First, vulnerability keyword detection that triggers a routing decision rather than a continued AI interaction. Second, clear and prominent routes to a human at every step of the AI flow, with no friction designed to keep the customer in the AI channel. Third, explicit testing of how the AI behaves in distressed or stressed conversations, including edge cases sourced from real complaints and case file data. AI that performs well on the median customer but fails on the vulnerable customer fails the Duty.
Where vulnerability handling is materially weak, Section 166 of the Financial Services and Markets Act 2000 (the Skilled Persons review) is the supervisory tool the FCA uses to commission an independent review at the firm's cost. A Section 166 review on AI vulnerability handling is the kind of remediation event firms should design their controls to avoid. For a practical view of where AI is already landing across the sector, see our 2026 guide to AI in UK financial services.
What is the FCA sandbox route for AI firms?
The FCA Innovation Pathways service and the FCA Regulatory Sandbox are the two primary routes for firms (including AI-specific firms) to engage the FCA early on novel propositions or regulatory uncertainty. Innovation Pathways is the front door: a structured advisory route that helps firms understand which permissions they need, how existing rules apply, and what the supervisory expectation is for the proposition. The Regulatory Sandbox is the live-testing route for firms that need to test a product with real customers under FCA oversight before wider launch.
For AI firms, three sandbox use cases come up most often. Novel AI-driven retail propositions where the firm needs to test customer outcomes in a controlled cohort before national rollout. AI features added to an existing regulated product where the firm wants supervisory comfort on the Consumer Duty fit before launch. Cross-firm or industry pilots, including the AI Sandbox / Supercharged Sandbox initiatives the FCA has promoted in recent updates. Sandbox cohorts run on published timelines; check the FCA Innovation pages for the current cohort window before assuming availability.
The realistic SME view is that Innovation Pathways is broadly accessible and worth using when there is genuine regulatory uncertainty; the Regulatory Sandbox is narrower and only worth pursuing when the proposition genuinely needs live customer testing under supervisory cover. For most AI firms, the right starting point is Innovation Pathways plus a robust internal Consumer Duty assessment, with the Sandbox reserved for the small number of cases where it adds material value. For broader AI strategy support across regulated workflows, see our AI strategy service and the industry section of the Knowledge Hub.
Frequently asked questions
- Which UK financial services firms is FCA Consumer Duty in scope for?
- FCA Consumer Duty applies to firms whose products or services are used by retail customers in the UK, including banks, lenders, insurers, payment firms, asset managers serving retail, mortgage intermediaries, and credit brokers, among others. The Duty came into force on 31 July 2023 for new and existing products and services and on 31 July 2024 for closed products. Firms that are wholesale-only and have no retail consumer relationship sit outside the Duty itself, though they may still be affected through the distribution chain to retail customers.
- When does an AI feature become a 'decisioning system' for FCA purposes?
- An AI feature is best treated as a decisioning system when its output materially shapes a decision that affects a retail customer, whether or not a human is in the loop at the point of decision. This includes AI-driven eligibility checks, credit scoring, pricing adjustments, fraud declines, claims triage, and product recommendations. Decision-support AI used by a human who fully reviews and overrides the suggestion is also in scope where the human is materially influenced by the AI output. The conservative interpretation is to treat AI in any customer-affecting workflow as a decisioning system for governance purposes.
- Is the FCA Sandbox a realistic route for an SME AI firm?
- It can be, but it is narrower than firms often assume. The FCA Regulatory Sandbox is designed for firms that genuinely need live customer testing under supervisory oversight before a wider launch. For most AI propositions, Innovation Pathways (the FCA's advisory route) is the more realistic and lower-friction starting point. The Sandbox is worth pursuing where the proposition is genuinely novel, where customer testing materially de-risks the launch, and where the firm has the capacity to engage with supervisory cover throughout the cohort window.
- Could a Section 166 Skilled Persons review be triggered by AI failures?
- Yes. Section 166 of the Financial Services and Markets Act 2000 allows the FCA to commission an independent review at the firm's cost where it has supervisory concerns. AI failures that produce material consumer harm, evidence of disparate impact on vulnerable customers, or governance gaps around model risk are all credible triggers. Firms with material AI in retail-facing workflows should design their controls and evidencing to ensure that, if a Section 166 were ever commissioned, the firm could demonstrate a robust position on the four Consumer Duty outcomes and on vulnerability handling.
- How should firms evidence vulnerability handling in AI workflows?
- The expected evidence stack includes a documented vulnerability impact assessment per material AI system, fairness testing for disparate impact on vulnerable segments where data permits, a clear human escalation route triggered by vulnerability indicators in the conversation or data, and outcomes monitoring broken down by vulnerability indicator where this can be done without itself creating a privacy or discrimination risk. The FCA's FG 21/1 vulnerability guidance is the reference framework, and the firm's evidencing should map back to its four drivers (health, life events, resilience, capability).