The FCA report published this week is a clear signal: the era of experimental chatbots delivering financial guidance with a veneer of human oversight is ending. The regulator is now calling for expanded powers to regulate AI, mandatory oversight of autonomous models, and a public-interest AI service to fill the gap where private chatbots fail consumers. For mid-market law firms, insurers, financial services firms and accountancies, this matters immediately. The FCA Consumer Duty PS22/9 already requires firms to act in the best interests of consumers. Adding AI agents into that equation without proper governance frameworks, explainability controls, and audit trails doesn't just create reputational risk—it creates regulatory liability. The conversation has moved past 'Should we use AI?' to 'Can we govern the AI we've already deployed?'
This story sits within a pattern of regulatory bodies waking up to what the market has already built. The EU AI Act is live. The ICO's approach to generative AI and UK GDPR is hardening. ISO 42001 is becoming table stakes for serious firms. And now the FCA is saying: autonomous financial AI agents need human-in-the-loop controls, explainability requirements, and traceability obligations that today's ChatGPT-style implementations simply cannot deliver. The divide is widening between firms that bolted on a generic large language model and called it innovation, and firms that built AI systems designed from inception to operate within regulatory constraints. Expect that divide to become a compliance chasm within 18 months.
Here's what we see happening. Firms are deploying tools like ChatGPT or Microsoft Copilot into financial advice workflows and hoping that 'human review' closes the governance gap. It doesn't. Those tools are trained on broad internet text, cannot be audited for bias or hallucination in specific financial contexts, and leave no traceable evidence of how they reached a given conclusion. That matters when a consumer disputes advice and the FCA asks: 'Show me your audit trail. Show me where the AI was constrained. Show me the testing you did.' Generic enterprise AI is not the same as domain-specific, regulatory-aware AI. Compare that to systems built with retrieval-augmented generation (RAG) over verified datasets—where every answer is traceable to a source document, where the model is constrained by what it's trained on, and where firms maintain complete visibility into why the AI said what it said. One approach survives FCA scrutiny. The other doesn't. Trovix Aria is built on that second principle: RAG-backed knowledge assistance for fee-earners that treats regulatory auditability as a first-class requirement, not an afterthought.
If you're in a mid-market firm right now, the practical move is this: audit what AI you're currently running. If it's a generic chatbot without domain-specific training, explainability controls, or an audit trail, you're on borrowed time. The FCA's expanded perimeter and mandatory agent oversight are not theoretical. They're being written into law. You need three things: first, a clear register of where AI touches consumer-facing decision-making; second, governance processes that can show regulators the constraints on those systems and the evidence they relied on; third, technology that was built for regulated environments from the start. That's not paranoia. That's the regulatory environment as it now stands. Firms that treat this as a box-ticking exercise will be the ones explaining themselves to the FCA in 2027. Firms that treat it as a material control will be the ones still operating.
Source: City AM