Responsible AI governance for financial services, mapped to EU AI Act, FCA, SS1/23 and DORA

FINANCIAL SERVICES

Responsible AI Governance for Financial Services

Banks, asset managers and insurers are deploying AI faster than they can govern it. We engineer the governance that keeps your AI inside the EU AI Act, FCA Consumer Duty, PRA SS1/23 and DORA, so the board can sign it off with confidence.

For boards, CISOs and Heads of Compliance at banks, asset managers, insurers and capital markets firms. AEO and AI marketing handled downstream, engineered to the same compliance standard rather than gamed.

THE EXPOSURE

Why AI Governance Is Now a Board-Level Risk

Financial services sits under four regimes that all reach AI: the EU AI Act, GDPR, the FCA rulebook, and prudential rules from the PRA and DORA. Deploy AI without governing it and the exposure is regulatory, not reputational.

EUR 35M / 7%

Maximum EU AI Act fine for prohibited AI practices

Article 99 sets fines up to EUR 35 million or 7 percent of total worldwide annual turnover, whichever is higher, for prohibited practices. High-risk breaches reach EUR 15 million or 3 percent. The exposure sits at board level, not in marketing.

EU AI Act, Article 99 (artificialintelligenceact.eu)

2 Aug 2026

High-risk obligations bite for AI credit scoring

Annex III point 5(b) classes AI that evaluates creditworthiness or sets a credit score as high-risk. From this date the full obligations apply: risk management, bias-tested data, logging, human oversight and the right to an explanation under Article 86.

EU AI Act, Annex III; Article 86 (artificialintelligenceact.eu)

31 Jul 2023

FCA Consumer Duty in force

On top of the rule that promotions be fair, clear and not misleading, the Duty makes firms accountable for supporting customer understanding and good outcomes. AI-generated copy and chatbot answers are communications you own.

FCA Handbook, PRIN 2A / COBS 4.2 (fca.org.uk)

17 Jan 2025

DORA in application across EU financial entities

Banks, insurers and investment firms must withstand and recover from ICT disruption, including risk carried by AI vendors and ICT third parties. PRA SS1/23 model risk principles took effect 17 May 2024 for firms with internal model approval.

DORA (esma.europa.eu); PRA SS1/23 (bankofengland.co.uk)

THE POSITION

Govern AI Well and It Becomes an Advantage

Regulation is not the enemy of AI in finance. Govern it properly and you deploy faster than rivals who are still arguing about who owns the risk.

Governed AI ships faster

Firms with a clear AI governance operating model approve use cases in days, not quarters. The bottleneck is rarely the model. It is the absence of an agreed way to assess and sign off the risk.

The August 2026 deadline is a head start

Most lenders have not classified which AI models are high-risk under Annex III. The firms that map and remediate now will be compliant while competitors are still scoping the problem.

Compliance expertise is your trust asset

Your compliance team understands FCA rules and model risk better than any vendor. Turned into governed AI and into clear, accurate published guidance, that expertise is what regulators and AI search engines both reward.

AEO without dark patterns protects the licence

The wider AEO industry is being penalised for manipulative tactics. Done to a Responsible AI standard, AI visibility is engineered cleanly, so a fair, clear and not misleading promotion is also the one AI engines cite.

OUR APPROACH

Systems. Strategy. Execution.

The same three-level framework, recast for the AI governance, risk and compliance realities of regulated financial services.

1

SYSTEMS

AI Governance Operating Model

We architect the governance your board, CISO and Head of Compliance can stand behind. Every AI use case mapped to its obligations under the EU AI Act, GDPR, FCA rules, PRA SS1/23 and DORA, with clear ownership and escalation.

  • -AI inventory and Annex III high-risk classification
  • -Governance operating model: roles, controls, escalation
  • -EU AI Act, GDPR, FCA, SS1/23 and DORA obligation mapping
  • -Board and committee reporting on AI risk posture
2

STRATEGY

AI Risk and Compliance Roadmap

We build a prioritised AI risk register and remediation roadmap tied to real deadlines, the August 2026 high-risk obligations first. Where AI search and content sit in scope, we set the guardrails before the work runs.

  • -AI risk register scored by likelihood and regulatory exposure
  • -Model inventory and model risk gap analysis against SS1/23
  • -Remediation roadmap sequenced to the EU AI Act timeline
  • -AEO guardrails for fair, clear and not misleading content
3

EXECUTION

Audits, Artefacts and Compliant AEO

When execution is needed, we engineer the evidence. AI risk and bias audits, vendor and model assessments, governance artefacts, and answer engine optimisation built to compliance standard so your AI visibility holds up under scrutiny.

  • -AI risk, bias and explainability audits for high-risk models
  • -Vendor and third-party AI assessments under DORA
  • -Governance artefacts: technical documentation, logging, oversight
  • -AEO and content engineering without dark patterns, FCA-clean

WHERE WE CREATE VALUE

Typical Financial Services Engagements

Illustrative scenarios reflecting the types of firms we work with. Specific scope depends on your AI estate, regulatory footprint and risk appetite.

CREDIT AND LENDING

Bank Deploying AI in Credit Decisions

AI models score creditworthiness across retail lending. Annex III point 5(b) makes them high-risk from August 2026, yet the model inventory, bias testing and human oversight evidence are not in place.

Systems-level engagement: classify in-scope models, build the risk management and logging required, and stand up human oversight and Article 86 explanation processes before the deadline.

MODEL RISK

Asset Manager Aligning AI to SS1/23

AI models inform investment research and allocation. Model risk governance was built for traditional quant models, not for AI systems that drift and need bias and explainability controls.

Strategy-level engagement: model inventory, gap analysis against PRA SS1/23 principles, and a remediation roadmap that brings AI models into the existing model risk framework.

VENDOR AND ICT

Insurer Governing Third-Party AI under DORA

AI capability is bought from vendors for pricing, claims and customer service. DORA holds the firm accountable for ICT third-party risk, but vendor AI is assessed inconsistently or not at all.

Vendor and model assessment programme: due diligence on third-party AI, contractual and resilience controls aligned to DORA, and a register the board can rely on.

MARKETING COMPLIANCE

Lender Engineering AI Visibility Safely

Marketing uses AI to generate content and wants visibility in AI search. Financial promotions must be fair, clear and not misleading under the Consumer Duty, and the wider AEO industry is being penalised for dark patterns.

Governance-led AEO: guardrails for AI-generated promotions, claim substantiation, and answer engine optimisation engineered to compliance standard rather than gamed.

WHY US

We Understand Regulated Markets

Sotiris has 27 years across regulated markets where mistakes cost licences, not just rankings, and is the author of Ethical AI, AI Moats and TRANSFORM. VerityAI is a Responsible AI advisory, not a software platform. We govern your AI and your AI visibility from the same principle: build it so it holds up under scrutiny.

Governance the board can defend

We architect AI governance mapped to the EU AI Act, FCA rules, SS1/23 and DORA, with ownership and evidence a regulator can follow. Not a policy PDF. A working operating model.

Responsible AI applied to AI search

AI engines reward authoritative, well-structured, expert-attributed content. We engineer that visibility without the dark patterns the AEO industry is being penalised for, so it stays fair, clear and not misleading.

Board language, not jargon

We speak to boards, CISOs and compliance officers. Reporting connects AI to regulatory exposure, model risk and customer outcomes, not vanity metrics.

FROM THE PUBLIC RECORD

What Ungoverned Financial AI Actually Costs

Named cases here are drawn from the public record, with sources. Composites are built from several engagements and flagged as such. No client is identified.

PUBLIC RECORD

HSBC: automated monitoring left untested

The FCA fined HSBC Bank plc £63,946,800 in December 2021. For eight years, from 2010 to 2018, its automated transaction monitoring systems ran without anyone properly testing whether the scenarios and parameters still caught money laundering, or checking the data feeding them was accurate and complete.

Takeaway: an AI or rules-based system is not governed once it ships. It needs tested scenarios, calibrated parameters and clean data on a schedule, with evidence a regulator can follow.

PUBLIC RECORD

A risk-scoring model that discriminated by design

The Dutch Data Protection Authority fined the tax authority EUR 2.75 million in December 2021, of which EUR 1 million was for using nationality as an indicator inside its fraud risk classification model. The model helped wrongly flag around 26,000 families for benefits fraud between 2005 and 2019, and the government resigned over it.

Takeaway: a feature that looks predictive can be unlawful. Bias testing and a lawful-basis check on every input are governance controls, not nice-to-haves, and the cost of skipping them is not just a fine.

COMPOSITE

The model nobody owned

Composite, built from several engagements. A lender runs AI in more places than the board realises: a vendor pricing model here, a marketing tool there, a chatbot bought by another team. No single inventory, no clear owner, so no one can say which models are high-risk or who signs them off. Nothing has failed yet, which is exactly why it gets deprioritised.

Takeaway: the first control is not a policy. It is an inventory with a named owner for every AI use case, so exposure is visible before a regulator or an incident makes it visible for you.

Composite lesson, no client identified

START HERE

Wherever You Are in the Decision

Three routes in, depending on where you've got to. Learn the rules, compare the approaches, or move to a decision.

LEARN THE RULES

Getting oriented

New to how AI regulation lands on financial services? Start with the rules that bite first: the EU AI Act by industry, and what statutory and regulatory reporting looks like when AI sits in the pipeline.

COMPARE YOUR OPTIONS

Weighing approaches

Already scoping the problem? Look at where AI creates exposure in banking, and how cross-border data transfers change the compliance picture before you commit to an architecture.

READY TO ACT

Moving to a decision

Ready to govern it properly? Start with the risk register template, then book a conversation about your AI estate and where governance reduces the most risk.

BY JURISDICTION

UK, US and EU: The Rules Are Not the Same

The same AI use case sits under different rulebooks depending on where it operates. We advise UK-first, and serve US and EU clients in English.

UK

Lead market. We advise UK-first.

  • -FCA Consumer Duty: financial promotions and customer outcomes, including AI-generated content
  • -PRA SS1/23: model risk management principles, in effect for firms with internal model approval
  • -ICO and UK GDPR: lawful basis, fairness and automated decision rights

US

Served in English.

  • -SEC and banking-agency model risk expectations, including SR 11-7 on model risk management
  • -State laws and sector regulators layered on top of federal expectations
  • -NIST AI Risk Management Framework as the voluntary baseline

EU

Served in English.

  • -EU AI Act: credit scoring is high-risk under Annex III point 5(b)
  • -GDPR: lawful basis, fairness and rights around automated decisions
  • -DORA: ICT and digital operational resilience, including AI vendor risk

FAQ

Financial Services AI Compliance: Questions Boards Ask

Straight answers on the rules that bite first, from EU AI Act credit scoring to PRA SS1/23 model risk and the FCA Consumer Duty.

Is AI used for credit scoring high-risk under the EU AI Act?

Yes. Annex III point 5(b) classes AI that evaluates the creditworthiness of natural persons or sets their credit score as high-risk, with a narrow carve-out for fraud detection. From 2 August 2026 these systems carry the full high-risk obligations: a documented risk management system, bias-tested training data, technical documentation, logging, human oversight and the affected person right to an explanation under Article 86. Breaching high-risk obligations can draw fines up to EUR 15 million or 3 percent of worldwide annual turnover, whichever is higher (Article 99). Prohibited practices reach EUR 35 million or 7 percent. We map which of your models fall in scope and engineer the governance to meet it.

How do FCA Consumer Duty and financial promotion rules apply to AI-generated content and AEO?

The Consumer Duty came into force on 31 July 2023 and sits on top of the long-standing rule that financial promotions must be fair, clear and not misleading (COBS 4.2, CONC 3.3). AI-generated marketing copy, chatbot answers and content engineered for AI search all count as communications a firm is accountable for. The Duty also requires firms to support customer understanding and deliver good outcomes. We govern AI content and answer engine optimisation so visibility is engineered without the manipulative tactics the wider AEO industry is now being penalised for, and so every claim survives FCA scrutiny.

What does Responsible AI governance look like for a regulated financial services firm?

We work at three levels. Systems: an AI governance operating model your board, CISO and Head of Compliance can defend, mapping every AI use to the EU AI Act, GDPR, FCA rules, PRA SS1/23 and DORA. Strategy: a prioritised AI risk register, model inventory and remediation roadmap tied to the August 2026 high-risk deadline and your model risk obligations. Execution: governance artefacts, AI risk and bias audits, vendor and model assessments, and AEO content engineered to compliance standard rather than gamed.

What is AI model risk management under PRA SS1/23?

PRA SS1/23 sets the supervisory expectations for model risk management at UK banks and insurers, built on five principles covering model identification and a model inventory, governance, development and validation, independent review, and the management of model risk from third parties. It took effect on 17 May 2024 for firms with internal model approval. The supervisory statement is technology-agnostic, so AI and machine-learning models sit inside its scope: they need the same inventory, validation and ongoing monitoring as any other model, plus attention to drift, bias and explainability. We run a gap analysis of your AI estate against the five principles and fold AI into your existing model risk framework.

Do UK banks need a separate AI governance framework?

Not a separate framework bolted on the side. The FCA and PRA have signalled a technology-neutral approach, so AI is governed through rules and expectations you already hold: PRA SS1/23 for model risk, the FCA Consumer Duty for customer outcomes and fair, clear and not misleading communications, the senior managers regime for accountability, and UK GDPR for automated decisions. What firms usually lack is the connective tissue: a single AI inventory, clear ownership of each use case, and reporting that ties AI to those existing obligations. We build that operating model so AI risk is governed through the controls the board already understands, not in a parallel silo.

Does the EU AI Act apply to a UK financial services firm?

It can. The EU AI Act has extraterritorial reach: it applies where an AI system is placed on the EU market, or where its output is used inside the EU, regardless of where the provider or deployer sits. A UK bank serving EU customers, or running an AI system whose output lands in the EU, can fall in scope alongside its UK obligations under the FCA and PRA. The practical answer is to map each AI use case against both rulebooks rather than assume Brexit removed the exposure. We classify your AI estate across UK and EU regimes so nothing in scope is missed.

START HERE

Let's Discuss Responsible AI for Financial Services

A conversation about your AI estate, your regulatory footprint, and where governance will reduce the most risk. No pitch decks. No proposals on the first call.

Request a Consultation