The Mills Review is the FCA’s most recent attempt to work out how AI will reshape retail financial services by 2030. It arrives against a backdrop of mounting regulatory pressure following the release of Anthropic's Claude Mythos model (see our earlier post on this) which prompted the FCA, the Bank of England and HM Treasury to engage urgently with the UK's largest financial services firms over associated cyber security risks.
At well over a hundred pages, there is far more in the Mills Review than this post can cover. So, we’ll draw out a few important points that firms should have on their radar.
Existing principles-based framework remains broadly fit for purpose for now – but what happens when the human in the loop disappears?
First, there will be no new bespoke AI rulebook. An FCA "good and poor practice" AI guide is, however, expected later in 2026. In the Review’s words:
“We find that the overall regulatory framework remains sound. Its principles and outcomes-based approach, including the Consumer Duty, Senior Managers Regime , operational resilience and other key features, was designed to flex across changing business models. Engagement respondents did not seek changes to this system. They wanted clarity on how to interpret and govern increasing use of AI within the existing regime.”
The Review pushes this approach to its limit. It does this by presenting AI deployment as a five-level autonomy spectrum "along which humans move from performing tasks themselves towards setting boundaries, granting permissions and overseeing outcomes produced by AI". At the first level, as an operator, the human uses AI as a tool. As a collaborator, the two plan and act together. As a consultant, AI recommends and the human decides. As an approver, AI prepares or initiates actions that the human authorises. Finally, as an observer, AI acts within agreed limits while the human monitors outcomes. At the operator and collaborator end, there are concerns around accuracy, over-reliance and output quality. Further along the scale, they become about consent, accountability and redress. This is where the existing framework comes under strain.
The Review says:
“Existing accountability and consumer protection frameworks were designed for primarily human-mediated interactions. As AI systems move from Operator and Collaborator towards Approver and Observer modes, evidencing accountability may become more complex. Firms and individuals remain accountable for outcomes, even where aspects of model behaviour, performance and change sit outside their direct control… As decisions are increasingly delegated to AI systems, it may become harder for firms to deliver and demonstrate consumer understanding, value and informed consent.”
These remarks are consistent with recent comments from Sarah Breeden of the Bank of England who warned that we must keep asking whether existing, technology-agnostic regulatory frameworks remain sufficient as AI capabilities increase.
Does the regulatory perimeter need to move?
According to the Review, the FCA should consider whether the boundary of regulation still sits in the right place when financial decisions are increasingly made by AI systems (some of them provided by firms outside the current perimeter). Specifically, within three to six months, it should review the scale, nature and impact of general-purpose large language models operating outside the regulatory perimeter, including how consumers use general-purpose AI tools for savings, investments, pensions, mortgages and debt. It should then decide whether to amend guidance, recommend perimeter changes to government or maintain the current approach. Longer term, the FCA should monitor how frontier model capabilities affect the activity-based perimeter and ask the government to strengthen powers under the Critical Third Party and Designated Activities regimes (we've written about these before as bringing specific financial activities within FCA rules even where the provider is not otherwise regulated).
An Agentic Supervisory Model for the FCA itself
A possible ‘AI-enabled’ agentic supervisory framework described in the Review is an intriguing look into the future. The FCA could deploy AI across authorisation, supervision and enforcement, with agent-to-agent workflows and supervisory agents triaging firm submissions. On the autonomy spectrum, the FCA should develop AI to the consultant and approver levels, not observer. This would mean that human supervisors remain responsible for key decisions including exercising judgement, overseeing AI usage and engagement with firms. This model depends on regulated firms providing timely, structured, high quality data, with reporting anticipated to move from periodic returns towards continuous, event driven flows. It will also involve a shift in the FCA’s supervisory focus beyond individual firms to encompass the entire financial ecosystem.
Next steps
The Review closes with seven priority recommendations: securing/adapting the regulatory perimeter; strengthening system-wide oversight of AI concentration risks; monitoring the market’s transition along the autonomy spectrum; scaling the AI Lab and sandbox work; laying the foundations for agentic finance; building an agentic supervisory model for the FCA itself; and exploring a public-interest financial capability service. Decisions on which ones to adopt, and when, rests with the FCA Board. The most pressing issue is perhaps whether supervisory capacity can keep pace with a technology moving as quickly as the models cited throughout the Review itself.
With thanks to Jacob Joad for assistance in preparing this post.

/Passle/5badda5844de890788b571ce/SearchServiceImages/2026-07-13-20-00-45-029-6a5543edab2597f8777d7270.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2026-06-29-10-16-32-639-6a4246003b479fecf5f620b0.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2026-06-25-18-41-32-015-6a3d765c156241708eb3f9e8.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2026-06-25-15-28-39-656-6a3d49271b5212dcba9047d5.jpg)