A formal review commissioned by one of the world’s most influential financial watchdogs has placed large language models — the technology powering ChatGPT, Claude, and Gemini — squarely inside the perimeter of regulatory scrutiny for the first time, signalling a broader institutional shift in how governments intend to govern AI’s role in financial services.
The Financial Conduct Authority (FCA), the UK body responsible for overseeing financial markets and consumer protection, published a landmark review on Monday that urges it to consider, within the next three to six months, whether to expand its regulatory perimeter to cover AI models currently operating outside it. The review was authored by Sheldon Mills, the FCA’s executive director, and represents the first time a national financial regulator has formally studied the systemic impact of AI on financial services — a claim the FCA itself makes publicly.
The immediate question is narrow but consequential: should a chatbot that gives you personalised investment guidance be treated like a financial adviser? The broader question — how regulators manage an industry that is increasingly dependent on a handful of powerful AI providers — is one that will shape financial markets for years.
The Three Things Worth Knowing
1. Consumers Are Trusting AI for Financial Decisions — Without Knowing the Risks
The Mills review found that more than a quarter of UK consumers already trust tools such as OpenAI’s ChatGPT, Anthropic’s Claude, and Google’s Gemini when seeking financial guidance. Critically, most of these users have limited awareness that the protections applied to regulated financial services — compensation schemes, conduct standards, mandatory disclosures — do not extend to those AI products at all.
This is a material consumer protection gap, not a theoretical one. In the UK, financial advice is a regulated activity that can only be delivered by FCA-authorised businesses. AI tools, as currently structured, are permitted to offer only generic financial information. But Mills’ review flags that the line between “generic guidance” and “personal recommendation” — a legally significant distinction in UK financial law — is increasingly blurry. A chatbot that learns your risk appetite over multiple sessions, adapts its suggestions accordingly, and nudges you toward specific products may, in substance, be functioning as a financial adviser even if it is not licensed as one.
Jonathan Herbst, global head of financial services at law firm Norton Rose Fulbright, characterised the review carefully: Mills is not calling for an immediate crackdown, but is asking whether the rules need to evolve to reflect how financial services are actually being delivered. “That’s a big question for policymakers and one that will only become more pressing as AI adoption accelerates,” Herbst said.
2. Concentration Risk Is the Systemic Threat That Could Destabilise Financial Markets
Beyond individual consumer harm, the Mills review raises a more structurally alarming concern: the financial sector’s growing dependence on a small number of AI and cloud technology providers could introduce correlated risk across the entire system. If most major UK banks, insurers, and investment firms are running their customer-facing operations on the same underlying models — and those models share infrastructure, training data, or common failure modes — a single point of failure could cascade in ways that existing regulatory frameworks were not designed to contain.
A recent industry survey cited in the review found that 81% of financial firms globally were adopting AI at some level, with 40% already at more advanced stages of deployment. In the UK specifically, firms are moving AI out of lower-risk back-office functions — fraud detection, document processing — and into customer-facing roles such as complaints handling and investment guidance. The more that customer outcomes depend on shared AI infrastructure, the more a technical failure or a model-level vulnerability becomes a systemic financial risk, not just an operational inconvenience for one firm.
What makes this concentration risk uniquely difficult to regulate is that it does not map neatly onto existing supervisory categories. Traditional systemic risk frameworks — developed after the 2008 financial crisis — were designed around interconnected balance sheets and liquidity contagion. AI concentration risk operates differently: the “contagion” here is behavioural and informational. If multiple firms’ AI systems are trained on similar data and optimised for similar objectives, they may respond to market events in correlated ways — amplifying volatility rather than absorbing it — even if those firms are financially independent of each other. This is a new species of systemic risk, and neither the FCA’s existing toolkit nor the Basel framework was built to catch it.
This concern is not unique to the UK. As covered in our analysis of AI’s broader institutional moment, regulators in multiple jurisdictions are grappling with the same tension between enabling AI-driven efficiency and containing emergent system-wide risks that no single firm controls.
3. The Bank of England Has Now Entered the Debate — and the Stakes Have Risen
The Mills review does not stand alone. In a speech delivered just days before its publication, Bank of England Deputy Governor Sarah Breeden signalled for the first time that bespoke AI regulation may be necessary to contain risks posed by increasingly capable agentic systems — AI that can take actions autonomously, with limited human oversight. “Our frameworks were not built to contemplate autonomous agents, and relying on a human in the loop for all agent actions is unlikely to be realistic,” Breeden said.
That statement from a Bank of England deputy governor is significant. The Bank of England, as the UK’s prudential regulator, sits at the apex of financial stability oversight. Breeden’s remarks suggest a convergence of thinking between the FCA and the Bank: not that AI must be stopped, but that the regulatory architecture built over decades for human-executed financial activity is not sufficient for autonomous AI systems operating at scale. Together, the Mills review and Breeden’s speech represent the most coordinated regulatory signal yet from British financial institutions on AI.
The timing matters too. The capital investment flowing into AI infrastructure has accelerated dramatically in 2024 and 2025, meaning the technology is being deployed far faster than regulatory frameworks can adapt. Regulators are, by their own admission, running to catch up.
How AI Financial Advice Compares Across Regulatory Regimes
The UK’s approach is notable partly because of how it compares to what other major regulators are doing — or not yet doing — on the same question.
| Regulator / Jurisdiction | Current Status on AI Financial Advice | Systemic Risk Focus | Binding Action Taken? |
|---|---|---|---|
| UK FCA | Formal review recommending regulatory perimeter expansion within 3–6 months; first global study of AI’s financial sector impact | Explicit — concentration risk and correlated behaviour flagged | No — recommendations are advisory; FCA not bound to act |
| EU (European Banking Authority / ESMA) | AI Act applies horizontal rules; financial-specific AI guidance under development; no LLM-specific financial advice rule yet | Partial — AI Act addresses high-risk use cases but not concentration dynamics | Partial — AI Act in force but financial-specific rules still being developed |
| US SEC / FINRA | AI use in investment advice under scrutiny; SEC has issued risk alerts but no LLM-specific rulemaking | Limited formal treatment of AI concentration risk to date | No — guidance-level only as of mid-2025 |
| Bank of England (Prudential) | Deputy Governor Breeden signalled need for bespoke AI regulation covering agentic systems | High — explicitly noted existing frameworks not built for autonomous agents | No — speech-level signal only |
The comparison reveals that the UK is moving faster at the study and framing stage than its peers, but no major jurisdiction has yet enacted binding rules specifically targeting LLMs in the context of financial advice. That window — between “we see the problem” and “here is the rule” — is exactly the period in which consumer harm and systemic risk can accumulate.
It is worth noting that AI adoption surveys consistently show that deployment is outpacing governance across virtually every sector, not just financial services. The FCA’s move is notable precisely because financial services has historically been one of the faster-moving regulatory environments globally.
What This Means for the Industry
For OpenAI, Anthropic, and Google, the Mills review is a material development. All three companies have major consumer-facing AI products that are now explicitly named in a formal regulatory inquiry by one of the world’s most respected financial watchdogs. None of the three companies responded to requests for comment ahead of the review’s publication. That silence will not be sustainable if the FCA moves to formal consultation — at which point the companies will need to engage with questions about what disclosures their products carry, how they handle financial queries, and whether their systems constitute unauthorised financial advice in certain use-case contexts.
For financial institutions deploying AI — the banks, insurers, and wealth managers that form the FCA’s core supervised population — the concentration risk findings deserve urgent attention. Firms that have quietly standardised on one or two AI providers for customer-facing operations may now need to reconsider that architecture, or at minimum document their rationale in a way that satisfies a regulator increasingly focused on operational resilience. The enterprise AI deployment challenges that have dogged large organisations are about to acquire a regulatory dimension as well.
For the broader AI industry, the FCA’s review — and the Bank of England’s parallel signal — may become a template. The FCA’s claim to be the first regulator globally to formally study AI’s financial sector impact means that other jurisdictions are watching. If the FCA moves to expand its regulatory perimeter to cover LLMs in the next six months, the EU and US regulators will face political and institutional pressure to respond in kind. Washington’s ongoing effort to reshape financial oversight in the context of digital assets shows how quickly jurisdictional competition can accelerate regulatory timelines.
The deepest implication, however, is structural. The Mills review and Breeden’s speech together suggest that the UK’s financial regulatory establishment has reached a consensus: the existing framework was built for a world of human-executed financial decisions, and that world is changing faster than the rules. The next six months will reveal whether that consensus translates into action — or whether, as has happened before with emerging technology, the gap between risk and rule persists long enough for significant harm to occur first.











