Treasury Select Committee warns of risks of poor AI supervision

The Treasury Select Committee has published its report on the use of AI by financial institutions. The report, summarising the results of an inquiry that started nearly a year ago, notes that  AI and wider technology can bring many benefits but the subject of its report was supervision. It is concerned that the regulators’ “wait and see” approach to supervision is not doing enough to manage the risks. The report found that three-quarters of UK regulated firms are using AI for a variety of purposes, with uses increasing with the size of the business. The Committee wants industry and regulators to work together to make sure the UK can capitalise on the opportunities AI offers, but also calls for regulatory action. It wants:

• the regulators to carry out AI-specific stress testing;
• the FCA to act quickly to produce practical guidance for firms by the end of the year, including setting out who within an organisation should be accountable for harm caused through AI (and indeed who is accountable when third parties are involved in development and provision of AI) and how consumer protection rules apply to firms’ use of AI; and
• to see appropriate AI and cloud providers designated under the Critical Third Parties regime – the Committee has previously pressed the Government on this, in the wake of failures in 2025 which significantly affected UK financial institutions, and with the benefit of 2 major providers expecting to be designated – yet no designations have yet been made and all the Committee received was an indication that the first designations were “expected” this year.

The Committee got 84 written submissions and correspondence from 6 major AI and cloud providers, and held 4 oral evidence sessions.

It is concerned that both the PRA and FCA said the existing regulatory framework gives enough protection against both consumer and financial stability risks. It quoted the BoE as saying that supervision had to be about dealing with the impact of situations when they occur, while the FCA said the SMCR and Consumer Duty together provide the required “regulatory bite”, so the FCA does not have to write rules specific to AI.

However, the Committee received input that said:

• there is not enough transparency in AI-driven decision-making in credit and insurance;
• when AI is used for financial decision making and product tailoring there is a risk of financial exclusion of disadvantaged customers;
• AI search engines can provide unregulated financial advice which may mislead or misinform customers;
• AI usage may lead to increased fraud risks and heightens cyber-security vulnerabilities;
• UK firms are overly reliant on a small number of US tech firms for AI and cloud services; and
• in the markets, AI-driven trading could amplify herding behaviour.

The regulators have various monitoring tools and have been prioritising cyber security, and the FCA has launched a number of Live Testing and Sandbox initiatives, but firms still lack guidance on accountability and rule application, and respondents said firms need more clarity on this. Also, there has been no  AI-specific stress testing.

If you’d like to discuss this further, please contact Katie Simmonds or Sheilah Mackie.