For a finance leader in an FCA-regulated firm, artificial intelligence raises a question with genuine personal consequences: when an AI system is used in a regulated process and something goes wrong, who is accountable? The answer that has emerged from the regulator is unambiguous, and it is not comfortable. Accountability sits with the named senior manager — and delegating a decision to an algorithm does not move it anywhere else.
This guide sets out how AI intersects the Senior Managers and Certification Regime in a UK context. It covers the regulator’s settled position that there will be no dedicated AI senior management function; where accountability for AI actually falls across the existing SMF map; what the ‘reasonable steps’ standard means when the system you rely on updates weekly; the specific obligations that bite — SYSC, Consumer Duty, operational resilience and data protection; what is coming in 2026; and what all of this means for the finance leaders regulated firms are hiring. It is written for the CFO, Finance Director or compliance leader who holds, or is preparing to hold, a senior management function in a firm that is adopting AI.
The starting point: three in four firms already use AI
This is not a hypothetical concern. The FCA and Bank of England’s joint survey found that around three-quarters of UK financial services firms were already using AI — a figure the regulators confirmed in their third joint survey. Adoption has since accelerated with generative and, increasingly, agentic AI. For finance functions specifically, which are among the earliest and heaviest adopters within a regulated firm, this means the accountability question is live now, not on some future horizon.
The finance leader is frequently the person the board looks to first on this, for a simple reason: much of the early AI adoption in a regulated firm happens inside the finance function — in reporting, reconciliation, forecasting and analysis — and finance leaders commonly hold senior management functions. That combination places the AI-accountability question directly in front of the CFO or FD, whether or not anyone has formally named it as theirs.
There is no AI senior management function — and that is the point
The single most important thing a finance leader needs to understand about AI and SM&CR is what the regulator decided not to do. The FCA and PRA considered whether to create a dedicated senior management function responsible for AI. They consulted on the question. The industry pushed back, arguing that existing governance structures and the SM&CR framework were already sufficient to address AI risks, and the regulators agreed.
That decision has a consequence that catches some firms off guard. Because there is no dedicated AI senior manager, accountability for AI does not sit in a convenient, ring-fenced box that someone can be appointed to own. Instead it falls on the senior managers whose existing Statements of Responsibilities already cover the relevant functions. AI accountability is distributed across the people who are already accountable for the areas AI touches. Nobody gets to say ‘that is the AI person’s job’ — because there is no AI person.
Where AI accountability actually falls
In practice, responsibility maps onto the existing senior management functions according to what the AI is doing and which part of the business it sits in:
- SMF24 (Chief Operations function) carries primary responsibility for the integrity of technology systems in the firms where it applies — which means AI infrastructure, deployment, security and operational maintenance sit within that remit. Note that in FD Capital’s world this function, like the CEO (SMF1), is a board-level appointment placed by our sister practice Exec Capital rather than within the finance-function remit.
- SMF4 (Chief Risk function) retains oversight of the firm’s risk management framework — including model risk, data-quality risk, bias risk, and the risk-appetite settings that govern how far AI is deployed.
- SMF16 (Compliance Oversight) is responsible for ensuring AI systems comply with applicable FCA rules, the Consumer Duty and data-protection requirements.
- SMF2 (Chief Finance function) — the CFO in a designated firm — carries accountability for the financial reporting, regulatory returns and financial-control environment that AI increasingly touches. Where AI is used in producing regulatory reporting or management information, its reliability sits inside the SMF2 holder’s accountability.
For a finance leader this matters because their own Statement of Responsibilities may already, by implication, capture AI use in the areas they own — even if AI is never mentioned in it. The accountability travels with the function, not with the technology.
‘Reasonable steps’ when the model changes weekly
The mechanism through which a senior manager is held accountable under SM&CR is familiar: Senior Manager Conduct Rule 2 requires a named individual to take reasonable steps to ensure that the business for which they are responsible is controlled effectively. The Duty of Responsibility means a senior manager can be held personally liable where a regulatory breach occurs in their area and they failed to take those reasonable steps. The FCA has confirmed that this standard applies to AI exactly as it applies to anything else a senior manager is responsible for. As FCA Executive Director David Geale put it to the Treasury Committee, individuals are ‘on the hook’ for AI-related harm under the regime.
What makes AI genuinely difficult is not the principle — it is applying a settled standard to a moving target. The FCA itself has acknowledged the hard version of the question: what does ‘reasonable steps’ look like when the model you rely on updates weekly, incorporates components you do not directly control, and behaves differently as soon as new data arrives? There is, as yet, no specific FCA guidance defining what a senior manager must actually do to evidence adequate oversight of an AI system, and no enforcement case setting a precedent. That gap is itself a risk: the standard applies, but its precise content is still being worked out.
For a finance leader, the defensible response is not to wait for the gap to close. It is to be able to show a deliberate, governed approach. In practice, reasonable steps in relation to AI plausibly include:
- Understanding, at a governance level rather than a technical one, how AI is used in the processes you are responsible for.
- Ensuring appropriate controls and human review sit around AI-assisted work that feeds regulated outcomes.
- Being able to evidence who owns each AI-enabled process, and what approvals were obtained before it went live.
- Maintaining a live inventory of where AI is used, whether it supports an important business service, and whether it is built in-house or supplied by a third party.
- Ensuring the firm can explain how AI-informed decisions are reached, and can document that explanation if a regulator asks.
The common thread is evidence. The FCA’s direction of travel is that supervisory attention will focus not on whether a firm has AI governance arrangements on paper, but on whether it can demonstrate those arrangements operate effectively in practice. A policy that cannot be evidenced in operation is, in the regulator’s eyes, close to no policy at all.
The rules that already bite
The UK has deliberately not adopted AI-specific legislation comparable to the EU AI Act. The FCA’s approach is principles-based, technology-neutral and outcomes-focused: firms are judged on the fairness, transparency, accountability and resilience of their outcomes, not on which technology produced them. That means AI adoption engages a set of existing obligations rather than a new rulebook. For a finance leader, four matter most.
SYSC — systems and controls
The Systems and Controls sourcebook is where AI governance is anchored. Governance arrangements and the requirement to maintain effective systems and controls apply to AI as they do to any other part of the firm’s operations. Where AI is used in a regulated process, the firm must be able to show that it has appropriate systems and controls around it — the same discipline that applies to any other material process, brought to bear on a newer kind of tool.
Consumer Duty
For firms with retail customers, the Consumer Duty requires that AI-driven products and processes deliver fair value, avoid foreseeable harm, and support good customer outcomes — and that the firm can monitor and evidence those outcomes on an ongoing basis. Bias in models is a specific concern the regulator has flagged, particularly in anything touching credit or pricing. The burden of proof sits with the firm: under the Duty and SM&CR, the firm must demonstrate its AI is working in customers’ interests, and the FCA does not have to find a problem first.
Operational resilience and third-party risk
Most firms do not build their own AI — they buy it. That makes AI a third-party dependency, and operational resilience and outsourcing obligations apply. Regulators have warned that AI could become a critical dependency, and firms are expected to strengthen vendor due diligence, contractual safeguards and exit planning to avoid vendor lock-in and concentration risk. The prospect of major AI and cloud providers being designated as critical third parties under the UK Critical Third Parties regime sharpens this further. A finance leader relying on an AI vendor for anything material should treat that reliance as an operational-resilience question, not merely a procurement one.
Data protection
Where AI processes personal data, UK data-protection obligations apply alongside the FCA rules. That includes a lawful basis, sensible retention, transparency, and — under Article 22 of the UK GDPR — safeguards around solely automated decisions, including a route to human review. Where AI processing is likely to be high-risk, a data-protection impact assessment may be required. The regulator has signalled that firms should expect supervisory enquiries spanning both financial regulation and data protection, and should align their SM&CR accountability with their data-protection obligations rather than treating the two as separate.
What is coming in 2026
A finance leader setting AI governance now should do so knowing the picture is still moving. Several developments bear on it directly.
In January 2026 the House of Commons Treasury Committee criticised the FCA, Bank of England and HM Treasury for what it called a ‘wait-and-see’ approach to AI risks, concluding the regulators were not doing enough. It recommended that the FCA publish, by the end of 2026, practical guidance on how existing consumer-protection rules apply to AI, including clarity on the level of senior-manager accountability and assurance expected under SM&CR for AI-related harm. That guidance, when it arrives, is the document finance leaders in regulated firms should read closely.
Also in January 2026, the FCA launched a long-term review — led by Executive Director Sheldon Mills — into how advanced AI could reshape retail financial services by 2030 and beyond, with recommendations expected in summer 2026. The FCA has reiterated that it does not currently plan to introduce AI-specific rules, but has openly raised the question of how SM&CR should operate where AI systems perform functions that were traditionally subject to direct human oversight. Alongside the review, the regulator has continued its more permissive track — AI Live Testing within the AI Lab, and an expanded Supercharged Sandbox — reinforcing that its strategy is to enable supervised experimentation rather than to prescribe.
The direction is clear even if the detail is not yet fixed: the framework will remain principles-based, the accountability will remain with named individuals, and the supervisory expectation around evidence, explainability and human oversight will sharpen rather than soften. A finance leader who builds a governed, evidenced approach now is building toward where the regulator is going.
A note on general-purpose tools
One practical warning deserves emphasis, because it is where finance teams most often stray. The FCA has been explicit that general-purpose tools such as consumer versions of large language models are not set up to assist with regulated financial decisions and are not regulated for that purpose. For a finance leader, the implication is twofold: confidential financial and personal data should not be entered into unapproved consumer tools, and AI output should never be treated as regulated advice or a substitute for a controlled, reviewed process. This is exactly the kind of boundary an AI usage policy exists to draw, and one a senior manager should be able to show is enforced.
What this means for hiring in regulated firms
The practical upshot for a regulated firm is that its senior finance and compliance hires now need to understand this intersection — not as AI specialists, but well enough to hold the accountability that comes with a senior management function in a firm that uses AI. A candidate who does not recognise that AI use sits inside their own SM&CR accountability, or who cannot describe how they would govern and evidence it, is a risk to the firm that appoints them.
When FD Capital places senior finance and compliance leaders into FCA-regulated businesses, this awareness is part of what we assess. We ask candidates how AI is used in their current function, who decided that, and how they govern and evidence it — the same worked-example approach we apply to any senior competence. A strong candidate describes a deliberate, controlled position; a weaker one either waves the question away or over-claims. Given the personal accountability at stake for an SMF holder, this is not a soft attribute; it is central to fitness for the role.
Call 020 3287 9501 or email recruitment@fdcapital.co.uk to discuss a senior finance or compliance appointment at an FCA-regulated firm where AI governance and SM&CR accountability are part of the brief.
FD Capital — Regulated-Firm Finance & Compliance Recruitment
Fellow of the ICAEW | Placing SMF2 CFOs, Chief Risk Officers, Compliance Oversight (SMF16) leaders, MLROs and finance leadership into UK FCA and PRA-regulated firms since 2018. We recruit permanent, interim and fractional senior finance and compliance leaders, screened against the FCA’s fit and proper standards and briefed on the personal accountability their function carries. 4,600+ network. 160+ placements. Shortlists in 3–7 working days.
Related reading and services
Senior finance, risk and compliance leaders for regulated firms.
Fractional, interim and permanent SMF holders across the regime.
How boards oversee the AI risk senior managers are accountable for.
Place a finance leader who can govern AI adoption.
About the author. Adrian Lawrence FCA is the founder of FD Capital Recruitment and a Fellow of the Institute of Chartered Accountants in England and Wales. Adrian holds a BSc from Queen Mary College, University of London and an ICAEW practising certificate in his own name. Before founding FD Capital in 2018 he worked across private, listed, owner-managed and PE-backed businesses, including CFO-level roles. That direct operating experience informs how FD Capital assesses senior finance and compliance candidates and briefs clients on what to look for in a regulated-firm appointment. Adrian personally leads every senior finance mandate FD Capital accepts and conducts candidate interviews himself for senior appointments.
Verify ICAEW membership → | FD Capital Recruitment Ltd, Companies House no. 13329383, operated by an ICAEW-registered practice.
This guide is general information for finance leaders and does not constitute legal or regulatory advice. Firms should take their own advice on their specific obligations. Regulatory positions described are current as at mid-2026 and are developing; readers should check the FCA’s latest publications.