Summary
- The FCA’s Mills Review identifies four AI-driven shifts in retail financial services, including amplified fraud and cyber risk.
- Recommendations include adapting the regulatory perimeter, strengthening system-wide coordination, monitoring autonomous models, and scaling the FCA’s AI Lab.
- The review links AI adoption with operational resilience, market concentration, supervisory capability, and technology dependency.
The Financial Conduct Authority has warned that artificial intelligence could amplify fraud, cyber security risk, consumer harm, and market concentration in retail financial services, while setting out how regulators and industry may need to prepare by 2030.
The Financial Conduct Authority has published the Mills Review, led by executive director Sheldon Mills, examining how AI could reshape retail financial services for consumers, firms, markets, and regulators. The review identifies four major shifts: transformation of firm operations, evolution of consumer journeys, reshaping of competition and market power, and amplification of fraud and cyber risks.
The FCA says AI could improve access, personalisation, and efficiency, while also increasing the speed and scale of existing harms. Its commissioned consumer research found that a fifth of UK adults are likely to use AI that can act autonomously within pre-set goals, although trust and control remain important conditions for adoption. The review’s recommendations include securing and adapting the regulatory perimeter, strengthening system-wide coordination and oversight, monitoring the transition to autonomous models, scaling the FCA’s AI Lab, enabling the foundations for agentic finance, building an AI enabled supervisory model, and developing a public-interest AI enabled financial capability service.
The cyber element sits within the review’s fourth system shift: amplified financial crime and cyber risk. The review concludes that by 2030, AI will make fraud and cyber risks faster, cheaper, more scalable, and more persuasive. Those risks cut across firms, platforms, telecoms, payment rails, identity systems, AI and technology providers, and jurisdictions.
Retail financial services are not made up solely of banks, insurers, lenders, and wealth platforms. They rely on payment infrastructure, cloud services, identity verification providers, data brokers, communications channels, mobile operating systems, model providers, fraud analytics, customer support platforms, and outsourced technology. AI risk will emerge through a mixture of financial regulation, technology concentration, identity abuse, third party dependency, and consumer-facing manipulation.
The FCA is not proposing a separate AI rulebook in the review. Its approach remains grounded in existing outcomes based frameworks, but the recommendations imply that those frameworks will need to stretch. Autonomous models create difficult supervisory demands. If a financial service uses AI to make, recommend, or execute actions within pre-set limits, regulators will need evidence that the model is governed, monitored, constrained, and recoverable when it behaves unexpectedly or is manipulated.
Market concentration is another pressure point. AI adoption may increase dependence on a small set of cloud, model, data, and platform providers. That can improve capability and efficiency, while concentrating operational failure modes. A technology provider outage, model change, security incident, or contractual restriction could affect multiple financial firms at once. In a sector already covered by operational resilience rules and critical third party oversight, the AI stack may become part of the infrastructure regulators need to understand.
The review’s cyber and fraud warnings also put identity at the centre of AI enabled finance. Agentic finance depends on systems being able to authenticate people, delegate authority, verify intent, and distinguish legitimate automated activity from manipulation. Fraudsters will use the same automation, natural-language generation, synthetic media, and orchestration tools that firms use to improve service. Cyber security and financial crime become closely connected risks rather than separate control domains.
The recommendation to build an AI enabled supervisory model acknowledges that regulators will also need to change. Supervising AI enabled firms at scale will require better data, technical expertise, testing capability, and automated analysis. Manual supervision will not be enough if firms deploy AI across credit, advice, complaints, fraud detection, customer engagement, and operational workflows.
The direction of travel is visible before any new rulemaking begins. AI governance will need to connect with cyber controls, model risk management, operational resilience, third party assurance, fraud prevention, and board oversight. Firms treating AI as a product innovation issue alone will face difficulty proving that AI enabled systems remain safe, resilient, and accountable when attacks, failures, or market pressures arrive at machine speed.





