The FCA’s David Geale said it in three words. Individuals in financial services firms are “on the hook” for harm caused to consumers through AI.
That line sits in the Treasury Committee’s January 2026 report. The same report asked the FCA to publish guidance by the end of 2026 on the level of assurance expected from senior managers under the SMCR for harm caused through the use of AI.
In plain terms: the FCA has confirmed you are responsible, but has not yet told you what “being responsible” actually requires you to do. That part arrives at the end of 2026. Until then, every Head of Compliance and Chief Risk Officer in the country is accountable for something the regulator has not finished explaining.
Why SMCR was never going to bend around AI
The FCA has held the same line since 2023, and it is not a complicated one. The accountability rules that already exist apply to AI the same way they apply to a spreadsheet, a junior adviser, or a bad Tuesday.
No new job title for “the AI person.” No special AI rulebook. No get-out clause that starts with “well, the model decided.”
To see why, you have to know what the regime was built to stop. Before SMCR, when something blew up in a bank, everyone had somewhere to point. The senior manager blamed the culture. The firm blamed the trader. The committee blamed itself, which is a polite way of saying nobody.
SMCR shut those exits. It put a name against each manager’s patch and a personal duty on them to take reasonable steps to stop things going wrong there.
So “the algorithm did it” is just the old dodge wearing a hoodie. The whole point of the regime is that the regulator can always find a human being. The agent does not take the call. The named senior manager does.
We made the first version of this argument in Count I of AI on Trial: The Burden of Proof. This piece goes after the harder question. Not whether someone is accountable, but what that person actually has to do once an AI agent is loose in their part of the business.
So whose name is on it?
First question in the room: who owns the agent?
There is no Senior Management Function for AI, and there is not going to be one. Instead, the agent slots into the functions that already exist, and depending on what it does, three usually end up holding it.
The Chief Executive, or whoever holds overall responsibility for the business area (SMF1 or SMF18). If the agent matters to how the firm runs or where it is going, the buck stops here. This is the person who has to look a supervisor in the eye and explain why the thing was switched on.
Compliance and the money laundering lead (SMF16 and SMF17). They own the rulebook the agent gets marked against. If you cannot show that what the agent said and did lines up with Consumer Duty, anti-money-laundering rules, and conduct obligations, compliance is in the conversation whether they like it or not.
The Chief Risk Officer (SMF4). Risk decides whether the agent is safe to let out, what guardrails sit around it, and who is watching once it is live. When something goes wrong, the evidence that the agent was tested and controlled lands on the CRO’s desk.
Most firms will spread the responsibility across all three, written into a Statement of Responsibilities. The agent does not get its own job title. It gets a human name attached to every stage of its life.
What “doing your job properly” really means
The legal test is “reasonable steps”. Not perfect steps. Just the steps a sensible person in that role would have taken, written down while they were doing it, and able to hold up later.
The trouble, which the Treasury Committee said out loud, is that the FCA has not published the AI version yet. So managers are taking a rulebook written for humans and applying it to software on their own.
Five things keep coming up.
A documented decision to deploy. The named senior manager signs off on the deployment in writing, with the specific controls they relied on listed. “I approved this on the basis of the following evidence” beats “I delegated this to the team” every time.
A pre-deployment evidence pack. Stress testing, failure mode inventory, remediation log, residual risk statement. We covered the full version in our guide to AI agent stress testing. The senior manager is signing off on the contents of that pack, not the existence of it.
A monitoring regime. What metrics are tracked. What thresholds trigger escalation. Who reviews them and how often. The agent making thousands of decisions a day cannot be assured the same way an adviser making twenty was. We made the case in Count III of the series: sampling 3% of interactions tells you almost nothing about the other 97%.
A retrievable audit trail. When the FCA asks why the agent took a specific action with a specific customer six months ago, the senior manager needs an answer. Not a probability distribution. An answer. Count II of the series sets out why AI-assisted advice without a retrievable record fails Consumer Duty before the regulator even asks the question.
An intervention pathway. When the agent behaves outside risk appetite, what happens. Who is alerted, on what timescale, with what authority to act. Post-event analysis is not intervention. By the time the harm appears in the data, the harm has already happened.
A manager who can lay all five on the table, with dates and names, has done their job. One who cannot is holding a problem no clever model will solve for them.
“But we bought it from a vendor”
Most firms running this stuff did not build it. They licensed it. SMCR could not care less.
Your name stays on the hook for what the agent does in the firm’s regulated work, whoever built the model. A contract can move the financial liability around. It cannot move the regulatory liability anywhere. The vendor is an outsider. The senior manager is the regulated human.
Here is the practical sting. All those clauses in the contract, the audit rights, the documentation, the promise to tell you when something breaks, are part of your evidence. A right you never use proves nothing. And an off-the-shelf model with no finance background and no log of what it did cannot be talked into compliance at the last minute.
What happens when the guidance lands
The FCA has said it will deliver by the end of 2026. We do not know the wording yet, but the direction is not hard to read.
Expect a flat statement that the duty covers AI systems in your area, with no relief for handing the decision to a machine. Expect a clear account of what evidence the regulator wants to see. Expect a few worked examples showing where the line falls.
If your plan is to wait for that document before doing anything, you have misread the clock. Your accountability did not begin when the guidance publishes. It began the day the agent went live.
Build your evidence now and the rest of 2026 is spent sharpening it. Wait, and you spend that time assembling the file after the fact, which is a far worse conversation to be having with a supervisor.
When the FCA does call, the agent will not pick up. You will. The only thing that matters by then is whether your answer is already sitting in a file, with your name on it, written long before anyone thought to ask.
Read the full AI governance series, AI on Trial: The Burden of Proof:
- The Accountability Framework
- Count I: SMCR Compliance and AI Agent Oversight
- Count II: Why AI-Assisted Advice Needs a Retrievable Audit Trail
- Count III: Why Reviewing 3% of Calls Tells You Nothing About the Other 97%
- Count IV: When AI Gets It Wrong: The Risk to Vulnerable Customers
- Count V: Why Financial Services AI Needs Domain-Specific Models
Frequently Asked Questions
Who is accountable under SMCR when an AI agent makes a poor decision?
The named senior manager with responsibility for the business area in which the AI agent operates remains personally accountable under the Senior Managers and Certification Regime. The FCA has confirmed that delegating a decision to an algorithm does not transfer the regulatory liability. SMCR Senior Manager Conduct Rule 2 requires the senior manager to take reasonable steps to ensure their business area is controlled effectively, and this duty applies to AI systems in the same way it applies to any other business activity.
Is there a specific Senior Management Function for AI?
No. The FCA has stated it does not plan to introduce a dedicated Senior Management Function (SMF) for AI. Responsibility for AI agent deployments sits within the existing SMF framework, typically allocated across SMF1 (CEO) or SMF18 (Other Overall Responsibility), SMF4 (Chief Risk Function), SMF16 (Compliance Oversight), and where relevant SMF17 (MLRO).
What does “reasonable steps” look like for a senior manager approving AI agent deployment?
Reasonable steps for AI agent deployment under SMCR typically include five components: a documented sign-off decision with the specific controls relied on, a pre-deployment evidence pack covering stress testing and residual risk, a monitoring regime with defined thresholds and escalation pathways, a retrievable audit trail at the interaction level, and an intervention pathway that allows the firm to act before harm reaches the customer.
Does the FCA plan to publish AI-specific SMCR guidance?
Yes. Following the UK Treasury Committee’s January 2026 report, the FCA has committed to publishing comprehensive practical guidance by the end of 2026 on accountability and the level of assurance expected from senior managers under SMCR for harm caused through the use of AI. The guidance is expected to clarify how the duty of responsibility applies in agentic deployments.
Can a vendor contract transfer SMCR liability to the AI provider?
No. Vendor contracts can allocate commercial liability, but they cannot transfer regulatory accountability. The named senior manager in the regulated firm remains accountable for the AI agent’s behaviour in the firm’s regulated activities, regardless of whether the underlying model is built in-house, fine-tuned, or licensed from a third party. The vendor is treated as a third party under the FCA’s outsourcing rules.
What is the duty of responsibility under SMCR?
The duty of responsibility is a statutory obligation on senior managers in scope of SMCR to take reasonable steps to prevent regulatory breaches in their area of responsibility. It was introduced as part of the Senior Managers and Certification Regime that commenced in March 2016, and is the mechanism by which the regulator can hold a named individual personally accountable for failures in their business area, including failures involving AI systems.
Should senior managers wait for FCA AI guidance before signing off on an agentic deployment?
No. The accountability under SMCR applies now, regardless of whether AI-specific guidance has been published. Senior managers waiting for guidance before building their evidence pack risk having to construct one retrospectively if a supervisory or enforcement issue arises. The FCA’s position throughout 2025 and 2026 has been that existing frameworks apply, and senior managers are expected to evidence reasonable steps against the rules already in place.
