Find a lawyerOur capabilitiesYour career
Locations
Our capabilities
News

Select language:

Locations
Our capabilities
News

Select language:

hamburger menu showcase image
  1. Our thinking
  2. Blogs
  3. Risk and Compliance
  4. AI in financial services: emerging regulatory expectations for governance and operational resilience
6MIN

AI in financial services: emerging regulatory expectations for governance and operational resilience

Jul 6 2026

Financial services firms have been using AI for several years to improve efficiency across their operations and to offer new products and services. The continuing question is how they do that in a way that mitigates risks for the firm, their customers and the financial system while remaining compliant with applicable law and regulation and meeting regulators’ expectations. 

UK financial services regulators have made clear that they take a technology-neutral approach to regulation, which differs from the approach taken in other jurisdictions, such as the EU. It is widely acknowledged that many AI-related risks are not unique to AI and many can, in principle at least, be addressed within existing legislative and regulatory frameworks. However, AI adoption is raising number of new practical questions for firms. They face difficulties in mapping existing requirements on governance and operational resilience to specific AI use cases, and uncertainty also remains as to regulator expectations, including for senior managers and the board.

The regulators are seeking closer engagement with industry on AI adoption. Their aim is to better understand emerging use cases, associated risks and practical challenges, and identify where further regulatory clarification or guidance may be required. This is a welcome development for firms.

There have been a number of AI-related publications and updates in recent weeks that are relevant for UK financial institutions. Taken together, they highlight emerging regulatory thinking, and the practical considerations firms will need to address in their AI strategies and governance frameworks. 

Frontier AI and cyber resilience

Frontier AI, defined by the National Cyber Security Centre as the most advanced AI systems in development, has become a key focus for regulators. 

The primary concern relates to the speed and scale at which these systems can be deployed. They are already capable of performing highly complex tasks at a level that exceeds that of skilled practitioners, with clear implications for cyber security at both firm and market level if used maliciously. In practice, frontier AI is narrowing the gap between vulnerability discovery and exploitation, enabling cyber attackers to operate at higher speed, greater scale, lower cost and with increased sophistication. While frontier AI is expected to strengthen cyber defence capabilities over time, the immediate challenge for firms is clear: cyber threats are evolving faster than many existing defensive models can keep pace with, requiring firms to adapt in order to maintain resilience.

On 15 May 2026, the Bank of England, the Financial Conduct Authority (FCA) and HM Treasury issued a joint statement on frontier AI models and cyber resilience. While the statement does not introduce new rules or requirements, it consolidates and reinforces existing expectations under the UK’s operational resilience framework and the Senior Managers and Certification Regime. Firms are expected to maintain effective capabilities across governance, vulnerability management, third-party risk management and incident response and recovery. 

Particular emphasis is placed on the ability to identify, risk assess and remediate vulnerabilities more quickly, more frequently, and at scale, including through automation where appropriate. In addition, firms are expected to ensure that their defensive controls evolve in line with increasingly automated attack methods, including adopting AI-enabled defences capable of responding at comparable pace.

The statement makes clear that technological solutions alone are not sufficient. Governance remains central, and firms should ensure that boards and senior management have an appropriate understanding of frontier AI-related cyber risks.

Shortly afterwards, the Cross Market Operational Resilience Group (CMORG) published guidance for firms on frontier AI. The guidance provides a practical and actionable baseline for firms to assess their cyber resilience and accelerate their response to frontier AI-enabled cyber threats.

CMORG’s guidance emphasises the importance of governance and accountability. Boards and senior management are expected to play an active role. Specifically, firms should “establish clear executive ownership, with aligned leadership expectations for frontier AI cyber preparedness across all relevant functions.” The guidance further encourages firms to move beyond periodic assessments towards more continuous evaluation, enabling faster and more confident decisions during cyber incidents.

The key takeaway from the joint statement and CMORG’s guidance is that firms are expected to take active steps to ensure that their governance and operational resilience frameworks can operate at the speed and scale required to manage cyber risks arising from frontier AI. Firms should therefore assess whether existing arrangements remain fit for purpose and identify where enhancements may be needed to respond to an increasingly AI-enabled threat landscape.

Sound practices for responsible adoption of AI

On 10 June 2026, the Financial Stability Board (FSB) published its consultation report, “Sound Practices for Responsible Adoption of Artificial Intelligence” and is requesting responses to be submitted by 22 July 2026. 

The report sets out a menu of 12 sound practices, complemented by industry case studies, to support financial institutions in developing organisation-wide AI governance and managing the full AI lifecycle. The FSB encourages boards and senior management to use these practices as a reference point when considering business strategy, technology adoption and risk management in an increasingly AI-enabled environment.

Three key points in particular are worth highlighting.

  • On governance, the board and senior management are ultimately accountable for the institution’s adoption of AI, both in setting its strategic direction and providing effective senior-level oversight. Sound practice requires them to align AI adoption and governance with the institution's business model, risk appetite and strategy. In practice, this extends to granular responsibilities, such as defining clear boundaries for AI use and ensuring the institution is adequately resourced to support adoption.
  • On human oversight, sound practice requires financial institutions to implement appropriate and effective oversight calibrated to the materiality, risk, autonomy, complexity and explainability of each AI use case. This goes beyond mere "human-in-the-loop". The FSB identifies six different forms of human oversight, spanning the full spectrum from direct human approval of every decision, through AI-assisted and exception-based arrangements, to high-level human command – and including “kill switch” mechanisms for immediate intervention and “contest” mechanisms to appeal or seek redress against AI-driven outputs.
  • On agentic AI, the report highlights additional steps taken by financial institutions, including assigning individual identifiers to AI agents, restricting their ability to interact with external systems without human approval and placing controls the execution of financial transactions, particularly those involving customers’ funds. 

The final report is expected to be published in October 2026. Once finalised, it is likely to serve as a useful practical reference point for financial institutions seeking to strengthen their AI governance and risk management frameworks.

FCA’s AI initiatives 

The FCA has announced that it expects to publish the findings of the Mills Review at a launch event on 6 July 2026 (see our initial report on the Mills Review here). The event will examine the Review's findings and recommendations, considering how firms and regulators across the wider financial services ecosystem can respond to the long-term opportunities and challenges of AI – including in relation to competition, consumer protection, transparency, and resilience.

The FCA has also reopened the AI Input Zone, launching an online survey through which it is inviting stakeholders to share what works well in practice and where improvements are needed. The survey provides an opportunity to share AI use cases, highlight challenges or barriers, identify areas where further regulatory clarity would help and contribute to the FCA's understanding of emerging risks. The AI Input Zone closes on 19 June 2026.

As firms move from experimenting with AI to deploying it more widely, regulators are paying closer attention to the practical challenges that come with it, particularly around governance and operational resilience. While UK financial services regulators continue to emphasise that existing regulatory frameworks remain broadly fit for purpose, they are increasingly focused on helping firms understand how those frameworks apply in practice as AI capabilities and adoption continue to accelerate. Firms should expect this trend to continue, with greater regulatory engagement, guidance and scrutiny as AI becomes more deeply embedded in business operations and customer-facing products and services.

 

Tags

regulatoryukaifcafinancial institutionsfinancial servicesregulatory frameworkthe financial conduct authority

Authors

London

Cyrus Pocha

Partner - Financial Services Regulatory & Co-head Global Fintech Group, London
London

Claire Harrop

Partner - Financial Services Regulatory & UK Head of Fintech
London

Lauren Moorin

Counsel
London

Sophia Doan

Associate
Latest Insights

Latest Insights

NAVIGATE TO
About usLocations and officesYour careerOur thinkingOur capabilitiesNews
CONNECT
Find a lawyerAlumniContact us
NEED HELP
Fraud and scamsComplaintsTerms and conditions
LEGAL
AccessibilityCookiesLegal noticesTransparency in supply chains statementResponsible procurementPrivacy

Select language:
Select language:
© 2026 Freshfields. Attorney Advertising: prior results do not guarantee a similar outcome