One in five UK adults would already let an AI act on their money within limits they set. That is roughly 11 million people, from Yonder Consulting’s April 2026 survey of more than 5,000 consumers run for the Financial Conduct Authority.
That figure anchors the Mills Review, the FCA’s study of how AI will change retail financial services, published on 6 July 2026. The debate has been about whether to let AI make decisions. The survey says consumers are already there. The review is about what the regulator does next, and what that asks of the firms building these systems.
The review is an enabling document with one condition that bites. It clears the way for agentic finance, but firms still treating “a human is in the loop” as their governance answer will find that line no longer holds.
What the Mills Review is, and why a regulator wrote it
The FCA Board commissioned its executive director Sheldon Mills to look past the next product cycle and ask how AI reshapes retail finance by 2030. The result carries his name. It is, on the FCA’s own account, the first review of its kind led by a financial regulator anywhere, built on an Engagement Paper from January 2026, the consumer survey, focus groups, and a comparison of how other jurisdictions are handling the same shift.
Mills framed AI as reshaping financial services by 2030 and creating, in his words, “significant opportunities for consumers, firms and the wider economy.” That sets the tone of the whole document. The emphasis lands on opportunity before restriction.
The review sorts the change into four movements: how firms run their operations, how consumers move through financial journeys, how competition and market power get redrawn, and how fraud and cyber risk get amplified. The first three are where the commercial upside sits. The fourth, fraud and cyber, is what worries the regulator most.
The FCA isn’t trying to slow AI down
Read the seven recommendations together and the direction is clear. This is a regulator trying to make room for autonomous finance, not fence it off.
| Recommendation | What it signals for firms |
|---|---|
| Secure and adapt the regulatory perimeter | The FCA will pull general-purpose AI tools that sit outside regulation back into scope where they touch financial decisions |
| Strengthen system-wide coordination and oversight | Expect joined-up supervision across the FCA, Bank of England and beyond, not siloed AI rules |
| Monitor the transition to autonomous models and adapt frameworks | Rules will move as autonomy climbs; today’s guidance is a floor, not a settlement |
| Scale up the FCA’s AI Lab | The regulator wants to test alongside firms, not just inspect after the fact |
| Enable the foundations for agentic finance | An explicit green light: the FCA wants agentic AI to work, and is building towards it |
| Build an AI-enabled agentic supervisory model | The supervisor itself plans to run on AI, which raises the bar for how firms evidence their own |
| Develop a trusted public-interest AI financial capability service | A public-good layer, so the benefits of AI advice don’t only reach the wealthy |
Source: The Mills Review, FCA, July 2026.
“Enable the foundations for agentic finance” isn’t the language of a regulator trying to hold the line. The FCA has said it will follow the review with an AI good and poor practice publication later in 2026, drawn from what it sees working inside real firms. For anyone who lived through the slow, defensive early years of fintech authorisation, this is a markedly different posture.
The FCA is making room for agentic finance and raising the standard of proof in the same move. Most firms’ governance isn’t built for the second part.
“Human in the loop” just stopped being enough
For years the answer to any AI governance question has been that a person signs off. The Mills Review makes that answer insufficient on its own.
Under the Senior Managers Regime, as law firm TLT reads the review, it will no longer be enough to say a person “remains in the loop.” A firm has to specify what information that person actually receives, when they can step in, how their challenge gets recorded, and what happens when they escalate. Applied to credit decisions, complaints handling and compliance itself, that is a documentation standard most firms don’t currently meet.
There’s a structural problem underneath it. As models retrain continuously, the point-in-time sign-off breaks down. Governance built on fixed release cycles assumes you validate a model, ship it, and revisit it later. An agentic system that adapts week to week needs continuous monitoring for drift and degradation, not an annual review. A release-and-revisit approach built for static software doesn’t fit.
The review also flags an accountability gap the industry has been quiet about. When AI operates at higher autonomy, it gets harder to name a single responsible person for a given outcome. That gap is legal exposure, and it lands on named Senior Managers.
Start by mapping where you actually sit. TLT’s reading sets out an autonomy spectrum running from a human doing the task, through assisting, to merely observing the machine. Most firms have deployments scattered across that range and no single view of them. Knowing your autonomy footprint is now the first governance question, not a technical footnote.
The Consumer Duty problem the review makes explicit
Consumer Duty and AI-first design pull against each other, and the Mills Review names the tension rather than smoothing it over.
The Duty requires firms to support customers, including those who are vulnerable. Yet if a market drifts to AI-only service by default, the review warns those consumers face reduced choice or worse service “unless firms design AI routes inclusively.” The 20% who are ready to delegate to AI aren’t the whole market. The rest still need a way through, and building for the enthusiasts while the others fall back to a degraded channel is the outcome the Duty was written to prevent.
For product and compliance teams, that turns an abstract principle into a design constraint. An AI journey with no inclusive alternative is a Consumer Duty gap, and the regulator has now said it’s watching for exactly that.
Fraud, vendors and the resilience question
The fourth shift, fraud and cyber, is where the review is least relaxed, and for good reason. AI raises the speed and scale of attacks at the same time it strengthens the defence. The FCA’s test, as firms will be expected to evidence it, is that AI-enabled controls genuinely improve detection, triage or disruption, keep working as threats evolve, and keep meaningful human control where a decision affects fairness or could harm a customer.
Third-party dependency is the quieter risk. Most firms will run agentic finance on external models and infrastructure they don’t own. The review’s position is that outsourcing the model doesn’t outsource the accountability: the firm still owns the outcome. That means treating critical AI providers as operational-resilience dependencies, mapping them, and testing whether existing impact tolerances survive an AI-specific failure such as a provider outage or a sudden model degradation.
None of that is exotic. It’s the operational-resilience discipline firms already apply to cloud and payments, extended to the model layer. The firms that already run that playbook have a head start.
How the FCA’s route differs from the EU and US
The FCA AI review deliberately avoids writing a single AI rulebook, and that is the clearest way to read it against the alternatives.
The EU has gone the other way. From 2 August 2026 the EU AI Act classifies credit scoring and creditworthiness assessment as “high-risk” under Annex III, pulling in banks, fintechs and buy-now-pay-later lenders whether or not they are otherwise regulated, and triggering conformity assessments, technical documentation and mandated human oversight. It is prescriptive by design. The US has no equivalent federal AI law and leans on existing regulators applying existing rules to AI.
The FCA’s choice, to adapt the perimeter and supervise outcomes rather than legislate a fixed classification, is a bet that principles age better than a static list. For a firm operating across borders, that means running two models of AI regulation in financial services at once: the EU’s rules-based regime and the UK’s outcomes-based one. The compliance burden is the overlap of both.
What to do before the perimeter review lands
Within three to six months of publication, the FCA is expected to run a perimeter review on general-purpose large language models operating outside regulation, and its findings could redraw the boundary between guidance and regulated advice. The good and poor practice publication follows later in 2026, and will set the clearest benchmarks yet on what acceptable AI deployment looks like.
That leaves a short window. The work that pays off in it is unglamorous: audit where AI already sits on the autonomy spectrum, rebuild model governance around continuous monitoring rather than release-gate sign-off, tighten Senior Manager documentation so “in the loop” is backed by specifics, and pressure-test vendor dependencies against the resilience standard.
Retrofitting governance onto an agentic system already in production is slower and more expensive than building it in from the start, and it leaves the firm exposed in the gap between deployment and control. The firms that read the Mills Review as permission to move, and build governance in from day one, are positioned for the agentic finance the FCA has said it wants to enable. The ones waiting for a finished rulebook will be retrofitting under time pressure while the perimeter moves under them.
The permission and the higher bar arrived in the same document. Firms have a few months to answer both.