Financial services · AI Readiness

AI readiness assessment for UK financial services firms

The short answer. An AI readiness assessment under FCA expectations is a structured review of whether the firm's AI use fits inside existing supervisory frameworks — SS1/23 (model risk), SS2/21 (operational resilience), SMCR senior-manager accountability, SYSC obligations, and Consumer Duty where customer outcomes are affected. The Arx Certa scorecard is the free 4-minute starting point.

FCA expectations on AI governance and model risk are running ahead of most firms' frameworks. This is the four-minute readiness check that maps where you sit.

Of all the regulated sectors, financial services has the deepest existing supervisory framework for AI to be plugged into — and the highest expectations of how firms govern technology that materially affects customer outcomes. The FCA's published expectations through 2025 and into 2026 have made the direction unambiguous: AI is supervised technology, governed under existing senior-manager regimes, expected to fit cleanly inside firms' model risk and operational resilience frameworks.

The challenge most firms face is not the absence of governance. It is that the existing governance was written for a previous era of technology and has not been updated to take account of AI's specific characteristics.

The FCA and PRA expectation backdrop

Three regulatory threads shape AI use in UK financial services:

Model risk management. SS1/23 (PRA) on model risk principles for banks, the FCA's mirroring guidance for non-bank firms, and the broader expectation that AI/ML models sit inside the firm's model risk framework — including validation, monitoring, and challenge.

Third-party risk. SS2/21 and the wider third-party risk framework. Most firms' AI capability is delivered through third parties (Microsoft, Google, OpenAI, Anthropic, specialist vendors). Each is a third-party arrangement that needs the same diligence as any other critical outsourced service.

SMCR. Senior managers carry personal accountability for the technology decisions made inside their function. AI usage is increasingly read into existing SMF responsibilities — not as a new SMF, but as an extension of existing accountabilities.

Where AI is creating new SYSC issues right now

The Senior Management Arrangements, Systems and Controls (SYSC) sourcebook covers the firm's organisation, systems, controls, governance, record-keeping, and outsourcing arrangements. AI use creates new SYSC-relevant questions in each of these areas:

  • Organisation: who is accountable for AI inside the firm, and is that accountability formally documented?
  • Systems and controls: what controls operate around AI usage — approval, review, audit, exception, withdrawal?
  • Governance: what board reporting cadence covers AI usage, AI risk, and AI outcomes?
  • Record-keeping: for any AI involvement in a customer-affecting decision, what records exist and how long are they retained?
  • Outsourcing: are AI vendors mapped, classified, and overseen as third parties under your existing framework?

Most firms can answer some of these questions but not all five. The readiness assessment surfaces which ones.

Five readiness dimensions weighted for financial services

The Arx Certa scorecard weights its five dimensions for sector context. For financial services, the weighting is heaviest on Governance, Security, and Use case.

Governance. A formal AI policy, board-approved, with named senior-manager ownership; a documented approval process for new AI use cases; integration with existing model risk and third-party risk frameworks; an audit-ready evidence pack producible in seven days.

Data. Customer data classification and AI access boundaries; data residency controls; lineage and retention; the specific question of whether AI vendor agreements are written under English law and whether customer data crosses the Atlantic during processing.

Infrastructure. Production-grade hosting (no consumer-tier services in scope), SSO and conditional access, network segmentation; the operational-resilience question of "if this AI tool stops working for a week, what breaks?".

Security. The financial services security baseline applied to the AI vendor layer — MFA, RBAC, logging, monitoring, vendor SOC2/ISO27001 evidence, contractual right-to-audit clauses.

Use case. Each AI use case mapped to the customer outcome it affects, the conduct rules it touches, and the senior manager whose responsibilities cover it. Use cases that touch financial promotion, advice, customer service or vulnerable-customer interactions carry their own additional governance layers.

The AI vendor due diligence pattern most firms haven't caught up to

Five years ago, firms had a third-party risk framework that did the work for them. Onboarding a SaaS vendor went through procurement, legal, IT, infosec, and operational resilience. The framework worked because the universe of in-scope vendors was bounded and slow-moving.

AI broke that bound. A firm can now have AI capability delivered through fifteen different layers — the underlying model provider, the orchestration vendor, the embedded AI features inside their existing CRM, their existing ERP, their existing email platform, the helpdesk tooling, the documentation system, the analytics platform — each of which is independently a third party with independent data handling.

The firms that have caught up have rebuilt their third-party register with an AI lens. The firms that haven't are running an outdated map of where their data actually goes.

What "ready" looks like

For an FCA-supervised firm, AI readiness ends at a state where the firm can answer four questions in a supervisory visit without scrambling:

  1. Who is accountable for AI inside your firm? (Named senior manager.)
  2. What AI tools are you using and what governs their use? (Living register plus AI policy.)
  3. What records have you retained of AI involvement in customer outcomes over the last 12 months? (Audit pack.)
  4. How does your AI risk fit inside your existing risk taxonomy? (Risk register entries with controls and residual risk.)

The Arx Certa scorecard is the four-minute version of those four questions, plus eight others.

Frequently asked

What is an AI readiness assessment under FCA expectations?

A structured review of whether the firm's AI use fits inside existing supervisory frameworks — model risk (SS1/23 and equivalent), third-party risk (SS2/21), SMCR senior-manager accountability, SYSC obligations on systems and controls, and the Consumer Duty where customer outcomes are affected. The Arx Certa scorecard is the free 4-minute starting point.

Does the scorecard align with SS1/23 model risk principles?

It is consistent with the direction of SS1/23 (PRA) and the FCA's mirroring guidance: AI/ML models sit inside the firm's model risk framework, with validation, monitoring, and challenge. The scorecard does not replace that framework. It tells you whether the framework's coverage of AI is current, and where the gaps would be visible in a supervisory ask.

How does SMCR accountability affect AI use in financial services?

Senior managers carry personal accountability for the technology decisions made inside their function. AI is increasingly read into existing SMF responsibilities — not as a new SMF, but as an extension of existing accountabilities. The scorecard's governance dimension explicitly checks whether AI accountability is named at senior-manager level and documented.

What does AI vendor due diligence look like for an FCA-supervised firm?

The same shape as any other critical third-party arrangement — DPA, sub-processor disclosure, SOC2 / ISO27001 evidence, right-to-audit clauses, contractual data residency, exit and portability — applied through the AI lens. The complication is that AI capability often reaches the firm through five or six layers (CRM, ERP, helpdesk, documentation, analytics) each of which is independently a third party. Most firms' third-party registers haven't caught up.

How is the scorecard different from a formal AI risk assessment?

Different scopes and different weights. A formal AI risk assessment is a board-grade artefact — typically a 30–60 page document covering risk taxonomy, residual risk per use case, controls, board reporting, and assurance lines. The scorecard is the 4-minute pre-cursor that tells you whether the firm is ready for that work, and where the foundations need to be in place first.

Related Arx Certa services

If the readiness gaps the scorecard surfaces for your business need outside help to close, these are the engagement types we run for UK firms:

  • AI services — implementation reviews, AI policy work, vendor due diligence, and pilot scoping for UK businesses adopting AI safely.
  • Cybersecurity — the security overlay AI use requires, including UK GDPR, NCSC alignment, vendor risk assessment, and audit-readiness.
  • Database — the data foundations work AI projects depend on. Most AI pilots fail because of the data underneath, not the model.
  • Infrastructure — cloud, identity, network and integration foundations that need to be in place before production AI deployment.

Test your firm's AI readiness against FCA-fit expectations

Twelve questions across the five dimensions, weighted for financial services context. Personalised report identifies the gaps most likely to surface in supervisory visits or third-party risk reviews.

Get your AI readiness score → 4 minutes · 12 questions · Personalised report

Related insights