The FCA's Mills Review signals the end of light-touch AI regulation and the beginning of mandated audit requirements. Most UK firms have deployed the wrong kind of AI to meet them.
Regulatory Watch  Trovix AriaFinancial Services · Legal · Insurance · Accountancy

The Mills Review represents a genuine policy shift, but not the benign one headlines suggest. The FCA is moving from 'no new rules needed' to 'we will mandate requirements for AI agents that make financial decisions'. This matters enormously to mid-market law firms, insurers, and accountancy practices because the definition of 'making a decision' will be tested in dispute. A chatbot that suggests switching accounts is different from one that executes the switch. The distinction is legally material. One in five UK adults already trust AI with financial choices; 26% use general-purpose tools like ChatGPT for advice. That consumer behaviour is outpacing regulation — exactly the moment when regulators tighten rules. Firms that have deployed conversational AI without proper audit trails, without documented decision logic, and without genuine human oversight are about to discover their tools don't meet the new standard.

This is part of a larger pattern. The EU AI Act is already live. The ICO has published AI governance guidance. The PRA expects banks to model AI concentration risk. The SRA is quietly watching how solicitors use generative AI in client communication. Each regulator is arriving at the same conclusion: general-purpose LLMs like ChatGPT and Claude are powerful but opaque, and opacity is incompatible with financial decision-making or legal advice. The industry has spent two years treating all AI as equivalent — a fatal mistake. The difference between Harvey (purpose-built for legal reasoning with explainable case retrieval) and a fine-tuned ChatGPT instance (fast but a black box) will become a regulatory fault line. Firms that have not yet moved beyond experimental AI are actually in a better position than those who have embedded unauditable systems into client-facing processes.

Here is Trovix's honest view: autonomous financial or legal decision-making requires AI systems built on retrieval-augmented generation with full audit compliance, not just language model scale. The FCA's rules will require firms to log what information the AI consulted, how it weighted that information, and which human made the final decision. Most general-purpose AI tools cannot do this cleanly. They hallucinate sources, lose the chain of reasoning, and treat all tokens equally. Trovix Aria is built on the principle that every recommendation must be traceable to source documents and regulatory guidance. That is not a feature we added — it is the architecture. When the FCA enforcement team asks 'show me how your AI made this decision', firms with retrieval-based systems can show their working. Firms with pure language models will struggle.

For mid-market practices right now, the practical action is clear. Audit your current AI deployments this quarter. If you cannot point to a specific document or regulation that your AI system consulted before making a recommendation, you have a compliance gap. Do not wait for final FCA rules. The Mills Review is the consultation; the mandate will follow within 18 months. Start with high-value, high-risk processes: client intake for legal firms, claims triage for insurers, tax position assessment for accountants. Those are the areas where regulators will look first. You do not need to remove AI from these processes — you need to replace unauditable AI with accountable AI. That usually means moving away from pure generative models and toward hybrid systems that combine language models with knowledge bases and decision logging.

Source: City AM

Related Trovix product:

Trovix Aria →Book a demo →