The FCA just sat down with KPMG and a room full of financial services practitioners to talk about AI regulation. Not in the abstract, future-gazing sense that these conversations usually take. In the practical, operational, what-are-you-actually-doing-about-it sense.
The timing matters. KPMG’s joint webinar with the International Regulatory Strategy Group landed in June 2026, the same month the FCA launched fresh consultations on later life lending and the House of Lords published a report warning that UK regulators risk failing to support growth. AI is no longer a boardroom talking point. It is in the workflow. And the question has shifted from “should we adopt it?” to “can we govern what we have already deployed?”
The answer, for most firms, is: not yet. Not properly.
The governance gap
KPMG’s webinar surfaced a finding that should concern anyone running a regulated advice business. As AI scales from pilot projects into live operations, governance and controls are moving decisively into the first line of defence. The old model, where compliance teams in the second line reviewed things after the fact, is being replaced by something more demanding: monitoring and explainability designed into AI systems from the outset.
For mortgage firms, this is not a distant regulatory ambition. It is already the direction of travel. The FCA’s own Mills Review, launched in January 2026, is examining how AI is being used across retail financial services, with a particular focus on whether firms can explain the decisions their systems make. Not just to the regulator. To the customer sitting across the desk.
The three lines of defence model that most UK financial services firms rely on was designed for a world where humans made decisions and other humans checked them. AI breaks that assumption. When a machine learning model recommends a product, identifies a vulnerable customer, or flags a case for review, the traditional question of “who checked the checker?” gets considerably harder to answer.
What the FCA actually cares about
The FCA’s contribution to the KPMG discussion reinforced what practitioners who watch the regulator closely already suspected. The supervisory focus is not on whether firms are using AI. It is on whether they can demonstrate effective governance, good outcomes, and ongoing assurance once those systems are live.
This is Consumer Duty logic applied to technology. If your AI tool influences how customers are treated, how suitability is assessed, or how risks are identified, you need to show that it is producing fair outcomes. Not once, when you built it. Continuously, as it runs.
The FCA is also practising what it preaches. It is using AI within its own supervisory processes, which tells you something about where the bar is heading. If the regulator can deploy machine learning to monitor firms, it will expect those firms to deploy equivalent rigour in monitoring themselves.
The mortgage compliance question
Consider what this means for a mortgage operation. The traditional compliance model, checking around 10% of files through manual review, has been the industry standard since the 1990s. It was a pragmatic compromise: checking everything was too expensive and too slow.
AI has inverted that equation. As Dawid Kotur, CEO of Curvestone AI, argued recently in Professional Adviser, comprehensive checking is now cheaper than selective checking. A mortgage case file review that used to take two or three hours can be completed in minutes, including automated review and human oversight. Coverage can move from 10% sampling to near-100% review without adding headcount.
The economics have changed. The FCA knows it. And the firms that are still relying on 10% sampling may, before long, find themselves explaining why.
This is not hypothetical risk. The motor finance scandal, now estimated at over 9 billion pounds, grew in the gap between what firms were actually checking and what they should have been checking. PPI followed the same pattern. Comprehensive oversight would not have fixed the broken incentives behind those failures, but it would have caught the patterns earlier.
The operational reality
Scaling AI is not straightforward, and the KPMG discussion was honest about the friction. Legacy technology creates integration headaches. Concentration risk increases when firms rely on a small number of AI vendors. Cyber risk grows with every new data connection.
And then there are the behavioural risks that are harder to measure but just as dangerous. Complacency sets in when staff trust AI outputs without questioning them. “Purpose creep” happens when a tool built for one function gets quietly repurposed for another, without the governance catching up.
These are not reasons to avoid AI. They are reasons to govern it properly. The firms moving fastest are not the ones buying the most technology. They are the ones building the operational discipline around it: escalation routes, human oversight checkpoints, designed-in friction that forces someone to ask “does this make sense?” before a decision goes through.
Where this leaves UK mortgage firms
The global picture adds another layer. KPMG’s research with the IRSG found that while regulators around the world broadly agree on the principles, human-centricity, transparency, robustness, accountability, they diverge sharply on how to operationalise them. The EU’s AI Act takes a prescriptive, rules-heavy approach. The UK has chosen a principles-based path, giving firms more flexibility but also more responsibility.
For UK mortgage firms, that flexibility is an opportunity. The FCA is not prescribing exactly how to use AI. It is asking firms to demonstrate that however they use it, they can explain it, govern it, and show it produces fair outcomes.
The firms that get this right will find themselves with a genuine competitive advantage. Not because they deployed the shiniest technology, but because they built the governance infrastructure that lets them deploy it confidently, at scale, with the regulator’s confidence rather than its suspicion.
The ones that wait for explicit rules before acting may find that the rules, when they arrive, were written with the early movers in mind.
Research notes
KPMG and IRSG, “Regulating AI in Financial Services” webinar, June 2026. https://kpmg.com/xx/en/our-insights/regulatory-insights/regulating-ai-in-financial-services.html
IRSG, “AI in Financial Services: Emerging Global Norms.” https://www.theglobalcity.uk/insights/irsg/ai-in-financial-services-emerging-global-norms
Dawid Kotur, “The FCA is Opening the Door for Innovation — Advisers Should Be Paying Attention,” Professional Adviser, 16 June 2026.
FCA Mills Review on AI in retail financial services, launched January 2026. https://www.fca.org.uk/firms/mills-review
House of Lords Industry and Regulators Committee, report on UK regulators and growth, May 2026.