UK AI rules in finance create compliance patchwork
Fri, 10th Jul 2026 (Today)
Lexxion Publisher has published a study on AI regulation in UK financial services by Charles Kerrigan and Lisa McClory. It finds that UK firms face a growing patchwork of supervisory expectations.
Published in AIRe: Journal of AI Law and Regulation, the study examines how financial institutions are operating under a sector-led regulatory model without a dedicated AI statute. It argues that, in practice, firms are moving from broad principles to detailed governance and reporting arrangements shaped by regulators, data rules and cross-border obligations.
The authors say the UK approach remains deliberately non-codified, with no single technology-specific rulebook for AI in financial services. Instead, firms must navigate overlapping expectations from bodies including the Financial Conduct Authority and the Prudential Regulation Authority, alongside broader data protection requirements.
This structure has produced what the authors call an "interpretive kraken", in which similar AI use cases may be treated differently across the market. They argue that the lack of consistency is creating operational strain as compliance, legal, risk and technology teams try to map fragmented obligations onto individual systems and business lines.
The paper focuses on a period of change for the sector. It highlights the FCA's Mills Review, with recommendations due later this year, as well as new FCA and PRA operational reporting mandates and the impact of the Data (Use and Access) Act 2025 on automated decision-making.
These developments matter because many financial institutions are already using AI in live operations. The study says 75 per cent of UK financial firms are deploying the technology, increasing the urgency of clearer internal controls and consistent governance frameworks.
Operational burden
Rather than introducing a single legislative framework, the UK has relied on sector regulators to apply existing principles to AI-related activity. In financial services, firms are often expected to interpret supervisory signals and translate them into practical standards for model oversight, accountability, reporting and customer outcomes.
The authors argue that the burden of making that framework work falls heavily on firms. Governance architecture, internal documentation and reporting systems are where broad regulatory principles are turned into day-to-day controls.
The picture is more complex for institutions with business in the European Union. The study says extraterritorial pressure from the EU AI Act is affecting EU-facing entities, adding another layer of requirements for firms that already have to satisfy UK supervisors and domestic data rules.
That creates the prospect of parallel compliance tracks, particularly for cross-border groups. A firm may need to align one set of internal processes with UK supervisory expectations while also assessing whether products, services or internal tools fall within the scope of the EU regime.
Data rules
The report also points to the post-Brexit Data (Use and Access) Act 2025 as a significant part of the picture. It says the law updates rules on automated decision-making while preserving EU data adequacy, an outcome that remains important for firms moving data between the UK and the bloc.
For financial services groups, data governance has become closely tied to AI governance. Questions about automated decisions, explainability, oversight and record-keeping increasingly overlap, particularly in customer-facing processes.
The study comes as policymakers and regulators in several jurisdictions continue to weigh whether existing law is sufficient for AI or whether technology-specific legislation is needed. So far, the UK has favoured adapting existing regulatory structures, a course supporters say offers flexibility but critics say leaves firms dealing with uncertainty.
Lexxion is making digital access available to the country reports section of the journal issue that includes the UK analysis, alongside reports on Japan, Korea, Australia, Ukraine and the European Union. The wider editorial focus reflects the increasingly international nature of AI regulation as companies compare national regimes and assess where rules diverge.
Kerrigan and McClory are identified as financial technology legal specialists at CMS London. Their analysis presents the UK market as one in which the practical rules of AI governance are shaped less by a single statute than by supervisory expectations, operational reporting demands and the compliance choices firms make in response to overlapping domestic and international obligations.
The result, they argue, is an uncodified and fragmented regulatory environment that pushes the real work of AI compliance onto firm-level governance architecture.