Sponsored

The Financial Conduct Authority published its first dedicated review of artificial intelligence in retail financial services on 6 July 2026. Led by executive director Sheldon Mills, the Mills Review sets out seven recommendations and four “AI-driven shifts”. Most of the coverage has fixed on one figure: 20% of UK consumers — roughly 11 million adults — say they would let an AI agent act autonomously within pre-set goals on their money. That number, drawn from a Yonder Consulting survey of more than 5,000 consumers, is the colour. It is not the story.

The story sits in the first recommendation: “secure and adapt the regulatory perimeter.” Read plainly, it is the one with teeth. It opens the door to supervising AI models themselves, not only the firms that deploy them.

Why the perimeter is the whole game

The regulatory perimeter is the line that decides who the FCA can touch. Inside it, a firm holds a permission, answers to the Consumer Duty, and puts named individuals on the hook under the Senior Managers Regime. Outside it, the regulator can publish guidance and raise concerns, but it cannot supervise, fine, or withdraw a permission.

For a decade that line has been drawn around activities and firms. A bank uses a credit model; the bank is regulated; the model is the bank’s problem to manage. The review’s other six recommendations largely keep that logic — scale up the AI Lab, build an agentic supervisory model, strengthen system-wide coordination. Sensible, incremental, firm-facing.

Recommendation one breaks the pattern. “Secure and adapt the regulatory perimeter” asks the FCA to consider whether the boundary should move — and the obvious direction of travel is towards the models. In a world where a foundation model, rather than a bank’s in-house team, effectively makes the lending or advice decision, supervising only the firm leaves the actual decision-maker outside the line.

From tool to regulated object

This is the pivot worth marking. Until now, UK financial regulation has treated AI as a tool that regulated firms use. The perimeter recommendation raises the possibility of treating AI systems as potential regulated objects in their own right.

The distinction is not academic. If a handful of third-party model providers sit behind thousands of regulated firms — and the concentration risk the review flags under “the reshaping of competition and market power” says they increasingly will — then the firm-by-firm perimeter has a hole in the middle. The model provider carries systemic weight but holds no permission and answers to no senior manager regime. Extending the perimeter is how you close that gap.

It also cuts against the review’s own headline posture. The FCA is explicit that it does not want a bespoke AI rulebook; it wants to lean on the Consumer Duty and the Senior Managers Regime it already has. That works — right up until the entity making the decision is a model the regulated firm neither built nor fully understands. Principles-based supervision assumes there is a senior manager who can be held responsible for an outcome. Agentic AI, acting autonomously within pre-set goals, is precisely the case where that assumption starts to fray.

The perimeter recommendation is the regulator conceding that its current toolkit was built for firms using AI, not for AI making the calls.

What actually happens next

Nothing fast. “Consider adapting the perimeter” is a recommendation to think about legislation, not legislation itself. Moving the perimeter is a Treasury-and-Parliament job, not something the FCA can do by supervisory statement. The last perimeter fights — over crypto assets, over buy-now-pay-later — each took years to translate from intent into law.

But the direction is now on the record, from the regulator itself, which is what makes this more than survey colour. Three things are worth watching.

First, the AI Lab. Watch whether it starts producing model-level assurance work — testing and evidencing models directly, rather than reviewing firms’ governance of them. That capability is the machinery you would need before you could credibly supervise a model, and building it is a tell that the perimeter argument is being taken seriously.

Second, the concentration data. The moment the review’s own competition analysis shows two or three model providers standing behind most regulated AI decisions, the perimeter argument stops being theoretical and becomes a financial-stability one. Concentration is the trigger that turns “consider” into “must”.

Third, the Senior Managers Regime. If the FCA cannot yet reach the model, it will lean harder on the humans who chose it. Expect sharper expectations on the senior manager who signs off a third-party model — its testing, its monitoring, its failure modes. That is the near-term proxy for perimeter reform: available today, under existing powers, without new legislation.

The 11 million adults ready to hand financial decisions to an agent are the demand signal. The perimeter recommendation is the supply-side admission that the current framework was designed for a different problem. Closing that gap is the work of the next several years, and it will be fought line by line. The Mills Review is simply where the FCA put on the record that the work needs doing.

Finance & Markets Correspondent
Covers: Finance, capital markets, technology investing

David Whitmore covers the intersection of capital and code — the funding rounds, market structures and policy moves that shape how money flows through the technology economy.