Summary
- The FCA awarded Palantir a £375,001 enterprise search proof of concept involving financial crime intelligence, with the public contract record running from 30 January to 29 May 2026.
- FCA executives told MPs that Palantir is a processor, not a controller, and that data is held in a sovereign cloud with FCA-controlled encryption and UK-based safeguards.
- The dispute raises wider questions about US vendor dependency, public-sector AI procurement, CLOUD Act exposure, and how regulators evidence control over sensitive data.
The Financial Conduct Authority is facing renewed pressure to explain why a trial with Palantir will not expose sensitive UK financial crime data to US legal demands, after MPs and privacy campaigners questioned whether the regulator’s safeguards are enough to deal with foreign jurisdiction, supplier dependency, and public trust.
The contract, published on Contracts Finder as “Enterprise Search Decision Intelligence PoC”, awarded £375,001 to Palantir Technologies UK Ltd. The public record describes a proof of concept to enable “true enterprise search” across structured, semi-structured, and unstructured FCA datasets through a federated data or virtualisation layer. It lists a contract period from 30 January to 29 May 2026, while the FCA has described the work to MPs as a 12-week proof of concept aimed at improving how it collates information to tackle financial crime.
The sensitivity of the project lies in the data estate beneath the search layer. In evidence to the Commons Treasury Committee, Jessica Rusu, the FCA’s chief data, information, and intelligence officer, said the regulator’s intelligence infrastructure was processing more than 53 million intelligence records per day. She told MPs that Palantir would “only have access to the records that we push into the proof-of-concept framework infrastructure, which we control”, but also said the material would include “all the information that we use to identify financial crime”.
That includes entity resolution between individuals and firms, linked addresses, fraud and harm networks, and information drawn from more than 20,000 social media data sources. Rusu told the committee that the FCA would remain the data controller at all times, that Palantir would act as a data processor, and that the company would not control the underlying intelligence.
The FCA has also pointed to technical and contractual controls. Rusu told MPs that the data would sit in its own S3 bucket, that data centres would be UK-based, and that it was contractual for data to be held in sovereign cloud infrastructure with access limited to SC-cleared staff. The regulator has said data in the trial will be encrypted and under its control.
An FCA spokesperson said: “This 12-week trial will test whether we can improve how we collate information so we’re better able to tackle financial crime and the distress it causes. Criminals aren’t slow to use technology to cause harm. We need to stay ahead of them. The data used in the trial will be fully encrypted and under our control. No one is able to access the unencrypted data without our authorisation.”
The political challenge is that data location and controller status do not, by themselves, settle every cross-border access concern. Martin Wrigley, Liberal Democrat MP for Newton Abbot and a member of the Commons Science, Innovation and Technology Committee, has written to the FCA seeking the legal basis for its position that the US CLOUD Act would not apply in these circumstances. The US law concerns access to data held by providers subject to US jurisdiction in response to valid legal process, including where relevant data is stored outside the United States.
Palantir has disputed the risk. The company has said the CLOUD Act does not provide unfettered access to data, that requests require a serious criminal investigation and judicial warrant, and that FCA encryption keys remain under the regulator’s exclusive control. On that account, Palantir could not produce intelligible FCA data without the regulator’s involvement.
Stuart Harvey, CEO of Datactics, said the issue goes beyond one technical control. “When people and businesses sign their personal and sensitive data to public bodies, such as the FCA, they are trusting in UK law to protect that data, not be subject to backdoor access from another country. The moment that data reaches infrastructure operated by a US company, trust and governance are complicated and the risks skyrocket.”
The FCA has a real operational problem to solve. Financial crime investigations depend on joining fragmented records, spotting relationships between people and companies, identifying repeat patterns, and moving faster than criminal networks that already exploit online platforms, synthetic identities, and complex money flows. Enterprise search and graph analytics can make that work more targeted, provided the underlying governance is strong enough for the sensitivity of the material being queried.
The trial therefore sits at the point where AI procurement becomes an operational resilience question. The central test is not simply whether data leaves the UK, but whether the FCA can demonstrate who can access intelligible data, how supplier activity is logged and audited, whether outputs can be separated from underlying intelligence, how deletion is verified at the end of the proof of concept, and what exit route exists if the pilot becomes production infrastructure.
That scrutiny is awkward for a financial regulator that has itself warned about concentration risk in technology providers. The FCA, Bank of England, and Prudential Regulation Authority have introduced a critical third-party oversight regime for services whose disruption could affect confidence in the UK financial system. Public bodies are now confronting a similar dependency problem as they adopt AI and analytics tools across health, defence, policing, and financial regulation.
Palantir’s UK public-sector footprint is already substantial. A parliamentary answer in March said the company’s two largest UK public-sector contracts were the NHS Federated Data Platform and the Ministry of Defence Palantir Enterprise Agreement. NHS England says the federated data platform contract has a maximum seven-year term, with an initial three-year commitment coming up in March 2027, while the MOD has awarded a £240.6 million enterprise agreement for data analytics capabilities across defence.
The FCA pilot may remain narrow and temporary. The questions around it are not narrow. Sensitive financial intelligence carries legal, operational, and reputational exposure even when it is used for legitimate enforcement aims. Encryption, sovereign hosting, processor obligations, staff clearance, audit logs, deletion certificates, and independent assurance will decide whether the regulator can show it has retained control over the risk it has introduced.
