The FCA published the findings of the Mills Review on 6 July 2026, setting out seven priority recommendations for how AI should be regulated in retail financial services through to 2030 and beyond. The review, led by Sheldon Mills, ran a call for input from 27 January to 24 February 2026, drew on 140 written submissions, and asked 20 questions across four themes: how AI will evolve, how it will affect markets and firms, how it will affect consumers, and how regulators need to change.
Firms have been waiting for this document. The Treasury Committee said in January that a lack of regulatory clarity had slowed AI adoption across the sector, and many firms paused investment decisions until the FCA showed its hand. As of today, the FCA has shown it.
The review concludes that the existing regulatory framework remains fit for purpose and recommends no new AI-specific rules. Its most significant proposal is an Agentic Supervisory Model, a set of AI-enabled tools that would let the FCA monitor outcomes across firms in near real time and detect risks that no single firm can see. Decisions on which recommendations to take forward now rest with the FCA Board and Executive.
What the FCA found: the four themes
1. How AI will evolve
The review expects AI capability to keep advancing quickly, with agentic systems acting inside firms and on behalf of consumers by 2030. More than 20 frontier models were released between the review starting in late 2025 and publication, alongside hundreds of smaller variants, and the report treats that pace as the central driver of everything else in it.
To explain what changes as capability grows, the review sets out an autonomy spectrum with five human roles. As an operator, the human uses AI as a tool. As a collaborator, the two plan and act together. As a consultant, AI recommends and the human decides. As an approver, AI prepares actions the human authorises. As an observer, AI acts continuously within agreed limits while the human monitors outcomes. Most of the review’s regulatory analysis hangs off this spectrum: the further along it a use case sits, the harder consent, accountability and redress become to evidence.
On the technology itself, the findings name state space models as a route to cheaper real-time monitoring, fraud screening and transaction analysis, and neuro-symbolic systems as a way for firms to show how an output was reached and whether relevant requirements were applied. AGI and quantum computing are treated as disruptive uncertainties with unknown timing and far-reaching consequences.
2. Markets and firms
By 2030, the review expects many firms to have embedded AI across almost every function, from customer support and underwriting to compliance, claims and product design. It describes firms moving away from periodic review, manual sampling and fixed workflow rules towards continuous monitoring of activity, with earlier intervention when customers show signs of difficulty or product performance suggests emerging harm. Governance, it says, will need to operate the same way, running alongside the systems it controls across all three lines of defence.
On competition, the findings identify control of the AI-mediated customer interface as a likely major source of market power. As consumers rely on agents to search, compare and transact, whoever owns that layer influences which products are visible, how choices are ranked and where value is captured. Firms’ own submissions to the review reported dependency on a core group of US-based models and a handful of hyperscalers, and the findings warn that shared reliance on similar models could produce correlated behaviour, herding and common points of failure across the system.
On the regulatory perimeter, the review finds the Critical Third Parties regime technology agnostic and capable of capturing major AI and cloud providers where designation criteria are met. It goes further on powers: the long-term recommendation asks the FCA to request that government strengthen its powers under the CTP regime and the Designated Activities Regime, and give the FCA and other sectoral regulators direct powers under the Digital Markets, Competition and Consumers Act.
3. Consumers
The review confirms the Consumer Duty as the anchor for consumer protection in AI-mediated financial services. Its consumer research found 1 in 5 UK adults already open to AI making decisions for them, with demand strongest for debt advice, pensions and investments, and around 26% trusting general-purpose tools such as ChatGPT, Claude or Gemini for financial advice, often with limited awareness that formal routes to redress will not apply. The survey splits consumers into four cohorts: 43% sceptics, 31% cautious, 19% optimists and 7% over reliant.
The Duty holds at lower levels of autonomy, and comes under pressure at higher ones. The findings flag that one-off consent may prove insufficient where systems act continuously, that consumer understanding becomes harder to evidence in dynamic personalised journeys, and that AI-enabled pricing may make it harder to distinguish benign personalisation from extraction.
On advice and guidance, the review coins a term for what general-purpose models already do: advice-like support, meaning highly personalised output that would count as regulated advice if it sat within the perimeter. This drives the review’s first and most time-bound recommendation, a perimeter review to be completed within three to six months, examining how consumers use general-purpose LLMs across savings, investments, pensions, mortgages and debt management, and whether the FCA should amend guidance, recommend perimeter changes to government, or hold its current approach. The findings also ask the FCA to monitor whether targeted support can later be adjusted so regulated firms can use AI on a more individualised basis.
For consumers who cannot pay for frontier tools, recommendation seven proposes a free, public-interest AI-enabled financial capability service, convened by the FCA with HM Treasury, the Money and Pensions Service, consumer bodies and industry, and described in the findings as a possible sovereign-style model.
4. How the regulator will change
The position the FCA took into the review held: the findings recommend keeping the principles-based, outcomes-focused framework and writing no AI-specific rules. Engagement respondents did not ask for a new regime. They asked for clarity on how the existing one applies as autonomy increases.
The findings map that pressure regime by regime. The Senior Managers Regime and Consumer Duty operate effectively while humans act as operators, collaborators and consultants, with pressure emerging at the approver and observer stages, where meaningful human control becomes difficult to evidence. Operational resilience and the perimeter show strain earlier, driven by concentration and by influence sitting outside the perimeter. No firm argued that the SM&CR accountability model should change, and the review agrees it still applies, recommending clearer guidance on the reasonable steps senior managers must take as delegation increases.
The centrepiece is recommendation six, the Agentic Supervisory Model. Under it, the FCA would deploy AI across authorisation, supervision and enforcement, monitor outcomes across firms in near real time, and eventually run agent-to-agent workflows in which supervisory agents triage firm submissions, test evidence against expectations and generate information requests. The review is specific about limits: the FCA should develop its own AI to the consultant and approver levels only, with human supervisors keeping responsibility for judgement and intervention. The model depends on firms providing timely, structured, high-quality data, and the findings anticipate reporting moving from periodic returns towards continuous, event-driven flows.
The seven priority recommendations in full: secure and adapt the regulatory perimeter; strengthen system-wide coordination and oversight; monitor the transition to autonomous models and adapt regulatory frameworks; scale up the FCA’s AI Lab; enable the foundations for agentic finance, with trusted agent standards built through Open Finance as the recommended route; build and adopt the Agentic Supervisory Model; and develop a trusted public-interest AI-enabled financial capability service.
What this means for compliance and risk teams
Map where your quality assurance coverage sits today. Recommendation three asks the FCA to strengthen expectations on evidencing outcomes and control, including monitoring system behaviour in live operation, testing that extends beyond deployment, and controls that detect when systems move outside expected bounds. The findings describe continuous monitoring displacing periodic review and manual sampling as AI spreads through firms. Teams still running sample-based QA should assess what share of client interactions and AI-influenced decisions they can actually evidence, and how quickly.
Put a name against AI oversight under SM&CR. Senior managers remain personally accountable, and the review recommends clearer guidance on the reasonable steps they must take as systems become more autonomous. The findings point to assurance tools, including pre-deployment and ongoing checks covering third-party models upstream, as the way senior managers demonstrate those steps. Check statements of responsibilities now, and make sure the challenge of AI outputs is documented, since that is what supervisors will ask to see.
Audit your third-party AI dependencies. Shared model dependencies are named as an ecosystem-level risk: an outage, breach or model degradation at one provider could hit many firms at once, and firms using similar models for underwriting or pricing could produce synchronised harm. Map which models and infrastructure your critical services depend on, set impact tolerances, and expect FCA interest in concentration whether or not your providers are ever designated as critical third parties.
Get your data ready for a supervisor that runs on it. The Agentic Supervisory Model depends on firms supplying timely, structured, high-quality data, and the findings anticipate more continuous, event-driven reporting in place of periodic returns. Firms whose outcome data is fragmented across systems will find that transition expensive. Firms who already capture structured records of client interactions and decisions will find it cheap.
Diary the perimeter review. The one firm date in the document: the review recommends the perimeter review completes within three to six months of publication. Its outcome will define how the advice guidance boundary applies in conversational interfaces, which matters to any firm deploying client-facing AI. Beyond that, watch for the FCA Board’s response setting out which recommendations it adopts and on what timetable.
Where Aveni fits
Recommendation three asks the FCA to set stronger expectations on how firms evidence outcomes and control, including monitoring system behaviour in live operation and detecting when it moves outside expected bounds. Detect was built for that standard: it monitors every client call, where sample-based QA covers a small fraction, so compliance teams can evidence outcomes across the whole book instead of a sample of it. Assist produces a documented record of every client meeting, which supports the evidence trail the review says senior managers will need as they demonstrate reasonable steps over increasingly automated work.
The upcoming deadlines to know
Firms now have the FCA’s direction in writing: the framework stays, supervision changes, and the evidence bar rises. One date is already set, with the perimeter review recommended to complete within three to six months, and the FCA Board’s response will set the rest of the timetable. The firms best placed for what follows are the ones that can already show, today, how their AI behaves in live operation.