The Mills Review: FCA sets out vision for AI-enabled financial services by 2030
Key contacts
On 6 July 2026, the FCA published The Mills Review (the ‘Review’), a major report by Sheldon Mills examining how AI will transform retail financial services by 2030 and beyond. The Review identifies four key systemic shifts including: the transformation of firms, new consumer journeys, reshaped competition, and amplified financial crime. The Review also makes seven priority recommendations for the FCA Board. While the Review recognises the existing regulatory framework remains broadly sound, it signals that this may become increasingly under strain and adaptation will be required as AI moves from an assistive role towards greater autonomy and delegation in line with developing agentic models.
Background
The FCA Board commissioned the Review into the long-term impact of AI on retail financial services. The Review drew on over 140 written submissions and extensive engagement with financial services firms, trade bodies, consumer groups, technology providers and international stakeholders as part of an Engagement Paper published in January 2026 (closed on 24 February 2026). The Review also draws on an FCA-commissioned Yonder research survey of over 5,000 UK financial services consumers on attitudes to AI in financial services conducted in April 2026.
The Review’s central finding is that financial services are shifting from human-led, episodic activity towards services that are "AI-enabled, continuous and delegated". The Review uses a five-level "autonomy spectrum" to describe the different levels of human role, from the human acting as an ‘operator’ of AI as a tool (Level 1) through to humans as ‘observers’ of the AI only. While few services will become fully autonomous, the Review expects most leading firms to have embedded some form of AI across almost every function by 2030.
Key Proposals – the four systemic shifts
The Review identifies four systemic shifts that it considers will reshape financial services by 2030:
1. The transformation of firms
The Review outlines that retail financial services firms have begun deploying AI for specific use cases, mostly keeping humans in the loop. By 2030, the Review expects AI to be embedded across most firm operations, moving well beyond today's assistive applications.
As autonomy increases, the role of people inside firms changes from operators close to each decision, towards approvers and observers who monitor outcomes and intervene when systems move outside agreed parameters. The Review stresses that it will not be enough to say a human remains "in the loop"; firms will need to be clear about what oversight actually involves, what information reviewers receive, and how challenge is recorded. AI governance and model risk management will become critical capabilities, particularly as firms rely more heavily on third-party model providers.
2. New consumer journeys
Consumer demand for AI-enabled financial services is already emerging. Around one in five UK adults are open to AI making financial decisions for them, with demand strongest where choices feel complex, such as debt advice, pensions and investments. Roughly a quarter of consumers already trust general-purpose tools such as ChatGPT for financial guidance, despite limited awareness that formal redress routes will not apply.
AI could help address longstanding weaknesses in retail financial markets, including the advice gap (only about 9% of consumers receive traditional regulated financial advice), the protection gap (around 30% hold life or income protection), low switching, and roughly £300 billion sitting in low-interest accounts. However, the Review identifies significant risks, including bias and discrimination through hyper-personalisation, opaque or individualised pricing, and the potential for highly personalised deceptive design.
Consumer concerns are substantial. Around two-thirds of respondents expressed concern about misuse of personal data (68%), lack of protection if things go wrong (67%), and concentration of power among large firms (65%). The Review concludes that trust, control and access will ultimately define consumer uptake.
3. A reshaped competition landscape
The Review identifies three competition channels affected by AI. Firstly, control of AI-mediated consumer interfaces such as the platforms and agents through which consumers search, compare and buy financial products could become a major source of market power. Secondly, AI may lower barriers to entry for digital-native firms but also reinforce scale advantages for incumbents with superior data, capital and vendor access. Thirdly, concentration in the AI supply chain, with a limited number of model providers and hyperscalers, raises concerns about cost, vendor lock-in and resilience. This concentration risk may require review of the operational resilience and critical third-party regimes.
4. Amplified financial crime and cyber risk
The Review outlines that AI is expected to make fraud faster, cheaper, more scalable and more persuasive by 2030. At the same time, techniques including cloned voices, synthetic identities and deepfakes are making scams easier to produce and harder to detect. However, AI is also capable of strengthening detection and resilience, with frontier AI models already demonstrating the ability to identify and exploit software vulnerabilities. In short, both offensive and defensive capabilities will accelerate in parallel, and firms will need to demonstrate that their AI-enabled controls improve detection, triage and disruption while retaining meaningful human oversight.
The Seven Priority Recommendations
The Review makes seven recommendations, which together form an integrated framework covering the regulatory perimeter, supervision and coordination, foundations for agentic finance, and consumer access. The recommendations are summarised below:
Regulatory frameworks and perimeter
1. Secure and adapt the regulatory perimeter. In the short-term, the Review calls on the FCA to launch a review into the scale and impact of general-purpose large language models (such as Claude and Gemini) operating outside the regulatory perimeter but, importantly, influencing consumer financial decisions. The Review stresses this is a foundational action given the evidence that interactions are increasingly taking place through such tools and there is a potential gap between customer expectations and regulatory reality here. Other key actions also include ongoing monitoring, market engagement, intervention and strengthening coordination and MOUs.
The Review’s long-term recommendation is that the FCA seek to expand powers outside of the existing powers under the critical third party (‘CTP’) regime, to also include direct powers under the Designated Activities Regime (‘DAR’) and the Digital Markets, Competition and Consumers Act (‘DMCC’).
2. Monitor the transition to autonomous models and adapt regulatory frameworks. The FCA should clarify how the Consumer Duty, Senior Managers and Certification Regime (‘SM&CR’) and governance expectations apply as AI becomes more autonomous. The FCA will need to continue clarifying how accountability, governance and customer protection frameworks apply and firms will also need to demonstrate how outcomes are delivered and how accountability is exercised across AI-enabled decision-making. Notably, whilst respondents to the Review called for no AI-specific rule changes, there remains an open question around the application of the “reasonable steps” obligation for Senior Managers. The increasing opacity inherent in more delegated and autonomous AI operation could create an emerging pressure point for Senior Managers between the outcomes of AI-mediated decisions and the ability to exercise meaningful human control. The Review does not, however, seek to specifically address this gap and it is not expected to be included within upcoming SM&CR reforms.
Supervision and coordination
3. Strengthen system-wide coordination and oversight. The FCA should enhance coordination across domestic authorities and international partners around resilience, data, competition, security and consumer protection. This includes developing a coordinated incident response framework for AI-related systemic events.
4. Build and adopt an AI-enabled agentic supervisory model. The Review advocates that the FCA itself should develop AI-enabled supervisory tools for more continuous, system-wide oversight, moving from episodic, document-based supervision towards a model that is more risk-based and intelligence-led. This is a potential significant recommendation, as the proposed AI agentic supervisory model will need to be joined up with a more proactive intervention and enforcement approach to detect and address emerging AI risks.
Foundations and capability
5. Scale up the FCA's existing AI Lab. The FCA should establish a structured capability anchored in the existing AI Lab to assess AI models and systems used in financial services, with a focus on emerging architectures and more capable models and their potential application to regulated use cases. Other key actions the FCA should consider include: engaging earlier in the development cycle, using structured partnerships to help build its own understanding, setting initial priorities for emerging model capabilities and system design, and publishing practical outputs to inform supervision and support responsible adoption.
6. Enable the foundations for agentic finance. The FCA should lead the development of a trusted framework for AI agent participation in financial services, covering identity, authority, accountability and execution. The recommended approach is to develop trusted agent standards through Open Finance.
Consumer access and outcomes
7. Develop a trusted public-interest AI-enabled financial capability service. The FCA should convene the development of a free, inclusively designed AI-enabled service providing consumers with access to reliable financial information, guidance and support.
Concluding remarks
Whilst the Review does not propose specific rule changes, it is a significant strategic document that signals the direction of travel for FCA policy and supervision on AI. Firms should expect the Review's analysis to inform supervisory priorities, perimeter policy and future guidance across a range of areas, with the FCA continuing its plans to regulate for growth.
Several practical implications stand out. Firstly, firms should assess where their current AI deployments and planned use cases sit on the Review's autonomy spectrum, and consider whether their governance, risk frameworks and accountability arrangements are robust enough for the levels of delegation they are planning. The FCA describes governance as the likely “enabler of capability” for AI and, in turn, describes AI capability as the systemic driver for change. Therefore, whilst the rules remain the same, it is possible that higher expectations will apply in practice to firm governance and risk relating to AI.
Firms will also need auditable records, clear customer complaints routes and a clear understanding of AI outputs to explain decision-making and mitigate customer harm. This will be particularly important in the context of future enforcement action where AI agents or workflows are key to the scope of the investigation.
Secondly, firms should consider the impact to consumers. Firms must consistently demonstrate good customer outcomes in line with the Consumer Duty, including fair value and suitability expectations. Key challenges include increasing AI autonomy in customer decision-making, over-personalised recommendations, identification of vulnerable customers and ensuring appropriate information in the customer journey. The Review does not evaluate how the Consumer Duty will perform in a rapidly evolving environment where decisions are more autonomous and complex, nor is AI specifically included within the scope of the FCA’s recent Consultation Paper CP26/23 regarding the Duty. However, it is clear from the Review that the Consumer Duty continues to provide a key lens through which firms’ AI deployment will be assessed.
Thirdly, the emphasis on system-wide risks from shared model dependencies and upstream concentration in the AI supply chain reinforces the importance of firms' operational resilience and third-party risk management frameworks.
More broadly, the Review confirms that the UK financial regulatory system is flexible enough, and robust enough, that it does not require a raft of AI-specific regulations. That is one of the great strengths of the UK system’s design principles. This represents a competitive advantage, but the framework will also need to be reviewed and potentially adapt as AI adoption accelerates. Firms that invest early in strong AI governance, explainability and assurance capabilities are likely to be best placed both to deploy AI confidently and to meet evolving regulatory expectations.
If you would like to discuss how these developments may affect your business, please contact one of the authors or your usual CMS contact.
Article co-authored by Hannah Manning and Olivia Christie-Miller