The UK's Financial Conduct Authority published the Mills Review on 6 July 2026, and its central message is more restrained than the headlines around AI regulation might suggest: the existing, principles-based regulatory framework is fit for purpose, and the UK does not need a new AI-specific rulebook for finance. Led by FCA executive director Sheldon Mills and commissioned by the regulator's board, the review — which the FCA describes as the first initiated by a regulator anywhere — examines how AI could reshape retail financial services for consumers, firms, markets and regulators by 2030 and beyond. What it recommends is not a new regime but a set of targeted moves: strengthening specific existing powers, including over the technology providers the sector depends on, adapting guidance for increasingly autonomous systems, and building the FCA's own capability to supervise them.
No new rulebook, but seven targeted recommendations
The review draws on a call for input that ran from January to February 2026, 140 written submissions and commissioned research including a survey of more than 5,000 UK consumers, and it sets out four structural shifts it expects by 2030 — in how firms operate, how consumers make decisions, how competition and market power are distributed, and how fraud and cyber risk are amplified. Against that, it makes seven priority recommendations to the FCA board.
Several matter most for the regulatory perimeter. The review asks the FCA to secure and adapt that perimeter, including an immediate three-to-six-month review of general-purpose large language models operating outside regulation, to close the gap where an unregulated chatbot dispenses something close to regulated advice. It asks for adaptive guidance clarifying how existing outcomes-based standards — the Consumer Duty and the Senior Managers Regime — apply as systems become autonomous. And it recommends the FCA build new capability to keep pace: scaling its AI Lab, developing an Agentic Supervisory Model for overseeing autonomous systems, and enabling standards for trusted AI agents through Open Finance. The through-line is continuous supervision replacing periodic review, rather than prescriptive rules replacing principles.
Regulating the vendors, not just the banks
The recommendation with the most structural weight concerns the technology providers themselves. The review finds the UK's Critical Third Parties regime to be technology-agnostic and capable of capturing major AI and cloud providers where the designation criteria are met, and it asks the government to strengthen the FCA's powers under that regime and the Designated Activities Regime, and to grant the FCA and other regulators direct powers under the Digital Markets, Competition and Consumers Act. The logic is the familiar concentration risk: if a small number of AI and cloud vendors end up underpinning the risk models, fraud checks and core systems of many firms at once, regulators want authority over those vendors directly, not only over the regulated firms that depend on them.
Here the Mills Review is more measured than Parliament has been. The Critical Third Parties regime was established under UK legislation and its rules were finalised in November 2024, yet more than a year later no provider has been designated. That gap prompted the House of Commons Treasury Select Committee, in its January 2026 report on AI in financial services, to warn that the Bank of England, the FCA and the Treasury were exposing consumers and the system to potentially serious harm through a wait-and-see approach, and to urge the Treasury to designate major AI and cloud providers by the end of 2026. The Treasury has said it expects to make initial designation decisions during the year. Mills's review supports strengthening the powers; the committee's frustration was with the failure to use the powers that already exist.
The consumer-protection gap
The review's consumer research is where the risk becomes concrete. It found that around one in five UK adults — roughly 11 million people — would be likely to use AI that can act autonomously within goals they set, with appetite strongest for areas such as debt advice, pensions and investments. It also found that a significant share of consumers already trust general-purpose AI chatbots for financial advice, frequently without realising that the formal routes to redress that apply to regulated advice would not apply to a general-purpose tool. That is the perimeter question in practice: the line between unregulated guidance and regulated advice is precisely where consumers are least equipped to see it.
Mills framed the sharpest version of the risk around pensions, warning that generative AI is very good at sounding authoritative and not always at being right, and that when retirement savings are involved, convenience is not the same as reliability. The review's deeper point is about accountability in agentic finance: as consumers delegate decisions to AI agents acting within pre-set goals, it becomes harder to identify the moment a person explicitly authorised a transaction — long one of the clearest signals for resolving a dispute or a fraud claim. Firms that keep automated decisions explainable and open to human review, the review suggests, will be better placed when something goes wrong.
The UK's path, set against the world
The review reinforces a distinctively British bet. Where the European Union's AI Act takes a more prescriptive route — classifying certain financial uses of AI, such as creditworthiness assessment, as high-risk and attaching specific obligations — the UK is choosing to keep a principles-based, outcomes-focused framework and to strengthen targeted powers within it rather than write new AI rules. Singapore's Monetary Authority has pursued a similarly principles-led model built around fairness, ethics, accountability and transparency. The Mills Review is, in effect, the fullest articulation yet of how far the framework-first approach is meant to stretch: no new rulebook, but sharper tools and a regulator retooling itself for autonomy.
Key Takeaways
The FCA published the Mills Review — led by executive director Sheldon Mills, commissioned by its board, and billed as the first regulator-led review of its kind globally — on 6 July 2026. Its central conclusion is that the existing principles-based framework is fit for purpose and that no new AI-specific rules are needed for retail financial services.
The review makes seven priority recommendations, including an immediate review of general-purpose LLMs operating outside the regulatory perimeter, adaptive guidance on how the Consumer Duty and Senior Managers Regime apply to autonomous systems, scaling the FCA's AI Lab, and building an Agentic Supervisory Model — the emphasis is on continuous supervision, not prescriptive rules.
Its most structural recommendation is to strengthen the FCA's targeted powers over major AI and cloud providers — via the Critical Third Parties regime (which it finds technology-agnostic), the Designated Activities Regime and the Digital Markets, Competition and Consumers Act. The CTP regime has existed since November 2024 but no provider has been designated; Parliament's Treasury Committee (January 2026) urged designations by end-2026.
FCA consumer research found ~1 in 5 UK adults (about 11 million) open to autonomous AI in personal finance, and a significant share already trusting general-purpose AI chatbots for financial advice without realising regulated-advice redress would not apply — the consumer-protection gap at the heart of the guidance-versus-advice perimeter question. The recommendations now go to the FCA board.