AI In Financial Services: The End of “Wait and See”

When the UK Treasury Committee published its report on AI in financial services in January, linked here, the message was clear: adoption is accelerating, but oversight was lagging. The prevailing perception was that regulators had, at least optically, adopted a “wait and see” approach.

The responses issued on 16 April shift that narrative. The tone is measured but firm both regulators position is clear they are not standing still and while the framework is still evolving, they would argue that the direction of travel is now more defined.

The regulators collectively emphasise that significant work is already underway to understand both firm-level and systemic risks arising from AI.

Their focus is on four key areas that are closely aligned with the Committee’s concerns:

• the increasing use of AI in core financial decision-making
• broader application across financial markets
• operational dependency on third-party providers
• the evolving cyber threat landscape

As far as mitigating an systemic risk scenario analysis, is now well underway, once theoretical, the risk of “herding”, model convergence, and common dependencies is now firmly on the supervisory agenda. For firms, arguably this shift is important with the greater focus now on how AI behaves in a market where many others are using similar tools, data, and infrastructure.

Interestingly one thing remains clear in their responses and that is that there is no appetite to implement an AI-specific regulatory framework for financial services. Regulators will continue to rely on existing regimes, SMCR, conduct, operational resilience, outsourcing, and governance to absorb AI-related risks. For firms this means they must continue to interpret Principles in the absence of detailed rules. And for Boards and Executives, the challenge remans – how best to evidence robust oversight in an environment where expectations are still forming.

One further area of note is the Committee’s focus on Critical Third Parties (CTPs) where there is a potential for concentration, particularly in cloud and AI service provision. And a growing recognition that such risk requires a broader, cross-sector approach. For firms, the implication is clear: third-party risk can no longer be treated as a procurement or outsourcing concern. It is a core component of enterprise risk and increasingly, of regulatory scrutiny.

So what are the respective regulators doing?

The FCA’s has continued its expansion of its own sandbox capabilities, often described as a “supercharged sandbox” whilst the Bank of England’s focus has been on stress testing scenarios which could signals a move toward more proactive supervision. Rather than waiting for risks to crystallise, regulators are beginning to model how they might emerge. These initiatives are important. They demonstrate momentum and intent. But they are not, in themselves, a substitute for firm-level action.

Firms should take away three practical implications:

• The use of AI in decision-making will attract increasing scrutiny, particularly where it affects customer outcomes. Explainability, testing, and challenge will be essential.
• Systemic considerations are rising up the agenda. Firms will need to think beyond their own models and consider their role within a wider ecosystem of shared technologies and dependencies.
• Third-party oversight is becoming a defining issue. Understanding, evidencing, and stress-testing reliance on external providers will be critical.

If January’s report posed the question—are regulators doing enough? Arguably April’s responses provide a more nuanced answer: they are moving, although the framework is still evolving.

For firms, this is not a reason to wait, rather should be seen as a call to action. Those that translate regulatory direction into practical controls, testing AI in real-world scenarios, strengthening oversight of third parties, and embedding resilience into deployment, will be better positioned not only to manage risk, but to compete. Because as AI becomes integral to financial services, the differentiator will not simply be who adopts it fastest, it will be who governs it best.