The FCA published its AI Update in April 2024. It is twenty-six pages long. It does not contain a single new rule.
That has been widely interpreted, including across mortgage, commercial finance, and protection broking, as confirmation that AI in regulated firms is a permitted, low-friction activity. It is the opposite. The FCA's central message is that AI use by regulated firms is already comprehensively governed, by rules brokers already operate under, and that the regulator now expects firms to demonstrate they understand which rules apply and how.
The Update is not a green light. It is a statement of jurisdiction.
The strategic posture
The FCA describes itself, in this document, as "technology-agnostic, principles-based and outcomes-focused" (Foreword). That phrase does a lot of work and most brokers reading it will miss the implication.
Technology-agnostic means the FCA does not plan to write AI-specific rules in the short term. Principles-based means it will not need to. Outcomes-focused means that when supervisory action follows, it will follow on the basis of what AI use produced for the consumer, not whether a specific AI rule was breached.
The Update makes this explicit at section 3.5: "Many risks related to AI are not necessarily unique to AI itself and can therefore be mitigated within existing legislative and/or regulatory frameworks." Translated: the FCA is not building a new regime. It is telling firms that the existing regime already applies.
For a broker, this is a more demanding position than a prescriptive one. A prescriptive rule tells you what to do. A principles-based regime tells you what outcome to deliver and holds you accountable for getting there. AI introduced into a broker's workflow does not change the outcome obligations. It changes the route to them, and increases the surface area over which the broker is accountable.
Five principles, mapped to existing rules
The Government identified five principles for AI regulation: safety, security and robustness; transparency and explainability; fairness; accountability and governance; and contestability and redress (section 3.6). The FCA's job in this Update is to demonstrate that each principle is already covered by existing Handbook provisions.
It does so, principle by principle. The mapping is thorough, and for brokers, three sections of it matter most.
On fairness, the FCA points directly at Consumer Duty. Section 3.22 states that the regulator's approach to AI fairness rests on Principles for Businesses, "detailed rules and guidance, including the Consumer Duty." The Duty requires firms to deliver good outcomes, design products that meet customer needs, communicate in ways customers can act on, and avoid foreseeable harm. None of these obligations contain an AI carve-out. If a broker uses AI in any client-facing process, the Duty applies to what the AI produces.
The Update is unambiguous at section 3.26: "firms using AI technologies in a way that embeds or amplifies bias, leading to worse outcomes for some groups of consumers, might not be acting in good faith for their consumers." The framing matters. The FCA is not saying biased AI is a breach in itself. It is saying biased AI may be evidence of a Consumer Duty failure, which is.
On accountability, the FCA confirms that the Senior Managers and Certification Regime applies in full. Section 3.40 states that "any use of AI in relation to an activity, business area, or management function of a firm would fall within the scope of a SMF manager's responsibilities." Section 3.41 reinforces this by reminding firms that Senior Managers must take "reasonable steps to ensure that the business of the firm, for which they are responsible, is effectively controlled."
For a sole-trader broker authorised under Limited Scope SM and CR, this is personal. For an AR firm, it is the principal's exposure. For a network, it is firm-wide.
On data, the FCA defers to the ICO and to UK GDPR Article 22. Section 3.31 confirms that firms using AI to process personal data must comply with data protection law, and section 3.32 specifies that automated decision-making which produces "legal or similarly significant effects" triggers Article 22 safeguards, including the data subject's right to contest the decision.
Most broker workflows that paste client information into a third-party AI tool are processing personal data outside the firm's control. The Update does not state this explicitly. It does not need to.
For brokers operating in protection, the regulatory architecture is layered further. Health, medical, lifestyle and family-history data captured during a protection fact-find is special category data under UK GDPR Article 9. Processing it requires an Article 9 lawful condition in addition to the general Article 6 basis. The ICO's guidance on AI and data protection addresses special category data directly. The point is not new to protection brokers. The point is that the regulatory test for AI tools handling this data is higher than for general client data, and the Update's silence on AI specifically does not soften that test.
What the Update does not do
The Update does not introduce a Senior Manager Function dedicated to AI. The FCA considered the question, consulted on it in its earlier Discussion Paper, and concluded against it (section 3.40). Existing governance structures, the regulator argues, are sufficient. This is not a relaxation. It is a confirmation that AI is the existing Senior Manager's problem.
The Update does not provide safe harbour. Nowhere does the FCA say "a broker using ChatGPT in this way is compliant." Nowhere does it endorse specific tools or vendors. Brokers looking for permission will not find it. They will find the regulator stating that the existing rules apply and that firms are responsible for assessing whether their AI use meets them.
The Update does not exempt small firms. Limited Scope SM and CR firms carry the same Statement of Responsibilities obligations as Enhanced firms (section 3.41). A solo mortgage broker using AI carries the same Senior Manager accountability as the equivalent function in a network.
What the Update signals about supervision
The Update is a supervisory document as much as a policy one. Three passages indicate where FCA attention will land in the next 12 to 24 months.
Section 4.1 states the FCA's "first priority" is "to continue to build an in-depth understanding of how AI is deployed in UK financial markets." The third edition of the machine learning survey, run jointly with the Bank of England, will gather firm-level intelligence. Diagnostic work is already underway.
Section 4.4 names operational resilience, outsourcing and critical third parties as "increasingly relevant to firms' safe and responsible use of AI." For brokers using cloud-based AI tools, this signals that vendor due diligence and resilience planning will be tested in supervisory engagement.
Section 3.43 commits firms to producing annual Consumer Duty assessments. The first was due 31 July 2024. The FCA writes that this reporting layer "might also include consideration of current or future use of AI technologies where it might impact retail consumer outcomes." That is the regulator telling Boards what its supervisors will be looking for.
What this means for brokers
The FCA AI Update is not a permissive document, and it is not a restrictive one. It is a jurisdictional one. It places AI use by regulated firms inside the existing regulatory perimeter and explicitly forecloses the argument that AI is somehow outside it.
For UK brokers, three practical implications follow.
The first is that any AI use in a regulated activity needs to be capable of being defended on Consumer Duty grounds. Not on AI grounds. On Consumer Duty grounds. The question to ask of any AI workflow is not "is this AI compliant?" It is "does this AI use deliver good outcomes for our customers, and can we evidence it?"
The second is that Senior Manager accountability extends fully to AI use, with no separate framework planned. If you are a sole-trader broker, the SMF holder is you. The reasonable steps obligation in the Senior Manager Conduct Rules covers the AI tools running in your workflow.
The third is that data handling matters before everything else. UK GDPR was already the operative regime for client information. The arrival of accessible AI tools has not changed the law. It has changed how easily a broker can breach it.
The FCA has told the industry where the lines are. The lines were there already. The Update simply confirmed that they apply.