FCA Enforcement Consumer Duty AI Supervision February 2026 — Regulatory Analysis

FCA FinTech Enforcement 2024-25: Equifax £11.16M, Consumer Duty AI Obligations, and the FCA’s Evolving Position on Automated Financial Services

The FCA fined Equifax Ltd £11,164,400 in October 2023 for failures related to the 2017 Equifax Inc. data breach that exposed the personal data of approximately 13.8 million UK consumers. The enforcement action — nearly six years after the underlying breach — signals the FCA’s increasing willingness to pursue systemic technology governance failures in financial services. Combined with the FCA Business Plan 2024/25’s explicit identification of AI supervision as a strategic priority, this case marks a turning point in how the FCA conceptualises digital infrastructure accountability for firms providing credit and financial data services.

FCA Final Notice: Equifax Ltd

Date: October 13, 2023
Fine: £11,164,400
Underlying event: 2017 Equifax Inc. data breach — 13.8 million UK consumers affected
Primary failures: Inadequate oversight of Equifax Inc. data processing; failure to protect UK consumer data; inadequate management of outsourced data processing
Official source: FCA Press Release — fca.org.uk/news/press-releases

1. The Equifax Fine: Technology Governance Failures in Financial Data Services

The Equifax enforcement action is significant not because of the size of the fine — £11.16 million is modest by the standards of FCA financial crime penalties — but because of what it penalises. The FCA found Equifax Ltd liable not for a breach it directly caused, but for inadequate oversight of data processing conducted by its US parent company. The UK subsidiary had outsourced core data processing functions to Equifax Inc. and failed to adequately manage, monitor, or safeguard that outsourced relationship.

This outsourced-processing liability framework has profound implications for AI-powered financial services firms. A significant proportion of FinTech companies process customer data through cloud infrastructure providers, third-party AI model vendors, identity verification services, and credit data platforms. The Equifax action makes clear that the FCA treats the regulated UK firm as fully accountable for how its data is handled throughout the processing chain — including by third parties over whom the regulated firm claims limited operational control.

13.8M

UK consumers whose data was exposed in the Equifax breach

The FCA fine was £11.16M in October 2023 — but the reputational, remediation, and regulatory costs to Equifax Ltd far exceeded the penalty. The breach affected credit scoring data: information that AI models use to make automated decisions about UK consumers’ access to financial products.

The specific regulatory failures the FCA identified fall into three categories that map directly onto AI system governance requirements:

Failure 1: Outsourcing Oversight

Equifax Ltd failed to adequately oversee the data processing Equifax Inc. performed on its behalf. FCA SYSC 13.9 requires firms to manage outsourcing arrangements with the same rigour as internal operations. The “it was the parent company’s system” defence failed entirely.

Failure 2: Data Security Standards

The firm failed to ensure Equifax Inc. maintained appropriate technical and organisational security measures for UK consumer data. This mirrors the GDPR Article 28 processor accountability framework — the UK firm remained responsible for its processor’s controls.

Failure 3: Incident Response

When the breach occurred, Equifax Ltd’s incident response was inadequate. The FCA found failures in identification, notification, and remediation timelines. For AI systems, the equivalent obligation is incident response readiness for model failures and output errors affecting consumers.

2. Consumer Duty (PS22/9) and Its AI System Implications

The FCA’s Consumer Duty, set out in Policy Statement PS22/9 and effective from July 31, 2023 for new products and July 31, 2024 for closed products, represents the most significant expansion of FCA consumer protection obligations since the Treating Customers Fairly (TCF) framework. For firms using AI to deliver financial services, Consumer Duty creates a set of obligations that existing compliance frameworks do not fully address.

The Duty is structured around four outcomes that firms must deliver for retail customers:

Products and Services Outcome: Products and services must be designed to meet the needs of the identified target market and must not cause foreseeable harm. For AI-powered products, this requires that the model’s outputs are appropriate for the customers to whom they are delivered — not merely that the underlying product design was sound at the time of initial approval.
Price and Value Outcome: The price charged must be fair relative to the value delivered. This creates a specific obligation for firms using AI to optimise pricing: dynamic pricing algorithms that systematically charge higher prices to consumers with lower financial sophistication or fewer alternatives may breach this outcome even if the prices are technically permissible.
Consumer Understanding Outcome: Firms must communicate information that enables consumers to make informed decisions. For AI systems, this includes the obligation to explain automated decisions in terms consumers can act on — not merely to make information technically available in contract documentation.
Consumer Support Outcome: Firms must provide support that enables consumers to realise the benefits of their products. For AI-mediated services, this requires that automated support systems (chatbots, AI-driven customer service) are capable of meeting consumers’ actual support needs, not merely deflecting queries.

Consumer Duty AI Gap: Most AI compliance frameworks in financial services focus on model accuracy, regulatory compliance, and data security. Consumer Duty introduces a distinct obligation: the AI system’s outputs must actively deliver good consumer outcomes — not merely comply with process requirements. A technically compliant automated credit decision that consistently produces outcomes harmful to specific consumer segments may satisfy existing fair lending standards while breaching Consumer Duty’s Products and Services Outcome.

3. FCA Discussion Paper DP22/4: The Regulator’s AI Conceptual Framework

In October 2022, the FCA (jointly with the Bank of England and the PRA) published Discussion Paper DP22/4: “Artificial Intelligence and Machine Learning.” This paper is the most detailed public articulation of how UK financial regulators conceptualise AI risk, and it provides the foundation for understanding how the FCA will approach AI supervision in 2024-25 and beyond.

DP22/4 identifies five dimensions of AI risk in financial services that regulators consider most significant:

1. Explainability and Interpretability

The FCA notes that deep learning models in particular can be difficult to interpret in ways that support meaningful human oversight. The paper does not mandate specific interpretability techniques but signals that firms must be able to explain AI decisions to regulators and, where required, to consumers. For credit scoring and product eligibility decisions, this connects directly to existing requirements under the Consumer Credit Act 1974 and the GDPR’s automated decision-making provisions (UK GDPR Article 22).

2. Data Bias and Fairness

DP22/4 explicitly flags the risk that AI models trained on historical financial data will perpetuate and amplify historical patterns of discrimination. The paper specifically identifies the risk of models that achieve aggregate fairness metrics while producing systematically discriminatory outcomes for specific demographic sub-groups — the “aggregate accuracy, disaggregated harm” problem that consumer advocates have documented in US fair lending enforcement.

3. Third-Party AI Dependencies

The paper addresses the growing use of third-party AI models — including large foundation models — in financial services decision-making. The FCA’s position echoes the Equifax outsourcing liability principle: a firm that uses a third-party AI model to make decisions affecting UK consumers is responsible for the regulatory compliance of those decisions, regardless of where the model was developed or who maintains it.

            DP22/4 on Foundation Models: The FCA Discussion Paper, published before the widespread deployment of large language models in financial services, anticipated exactly the governance challenges that have since emerged. A firm using GPT-4 or a similar foundation model to generate consumer communications, assess credit applications, or provide regulated advice cannot disclaim responsibility for that model’s outputs on the basis that the model was developed by a third party.
        

4. Model Risk Governance

DP22/4 draws on the US Federal Reserve’s SR 11-7 model risk management guidance as a conceptual framework adaptable to the UK context. The FCA signals that firms using AI for material decisions should apply model risk management discipline: model inventory, model validation, ongoing performance monitoring, and governance documentation that supports supervisory review.

5. Concentration Risk

The paper notes the risk of systemic concentration if the financial services sector converges on a small number of AI vendors or foundation models. If multiple major financial institutions use the same underlying AI model for credit decisioning, a failure or bias in that model could produce correlated adverse outcomes across the system.

4. FCA Business Plan 2024/25: AI as a Regulatory Priority

The FCA Business Plan 2024/25 explicitly identifies AI innovation and supervision as a strategic priority for the regulatory period. The Business Plan signals three specific areas of regulatory attention that financial services AI providers should anticipate:

Consumer harm from AI: The FCA commits to proactive identification and investigation of AI systems that cause consumer harm, with particular focus on automated credit decisioning, AI-driven pricing, and AI customer service systems that fail to deliver adequate support to consumers in financial difficulty.

Operational resilience of AI systems: The FCA signals convergence between its AI supervision agenda and the operational resilience framework introduced by PS21/3. AI systems that support Important Business Services must meet the same resilience standards as other critical technology — including requirements for impact tolerance testing and recovery capability documentation.

Regulatory sandbox expansion for AI: The FCA expands its Digital Sandbox and AI-specific regulatory testing environments, signalling that it will accept applications from firms seeking to test novel AI applications in financial services within a supervised framework. This creates an opportunity for firms with genuine regulatory uncertainty about their AI use cases to seek supervisory clarity before deployment.

// FCA Consumer Duty AI Compliance Documentation Framework
// Required for AI systems delivering regulated financial services outcomes

{
  "consumer_duty_assessment": {
    "product_name": "Automated Credit Decisioning Engine v4.1",
    "target_market_definition": "documented",      // Required under PS22/9 Outcome 1
    "foreseeable_harm_assessment": {
      "credit_refusal_rate_by_segment": "logged",  // Disparate impact monitoring
      "vulnerable_customer_flag": true,             // Enhanced monitoring for vulnerable customers
      "price_fairness_evidence": "semi-annual review" // Outcome 2 compliance
    },
    "explanation_capability": {
      "adverse_action_notice": "automated",         // Consumer Understanding Outcome
      "explanation_level": "plain_english_factors", // Not just model weights
      "consumer_challenge_pathway": "documented"    // Support Outcome
    },
    "governance": {
      "consumer_duty_champion": "Board_Member",     // PS22/9 requires Board ownership
      "annual_consumer_outcomes_review": true,
      "complaint_pattern_monitoring": "real_time"
    }
  }
}

5. SM&CR Accountability for AI Systems Under FCA Supervision

The Senior Managers and Certification Regime (SM&CR) creates personal regulatory accountability for named individuals at FCA-authorised firms. For AI-powered financial services, the SM&CR creates a governance requirement that many firms have not fully worked through: which Senior Manager Function (SMF) holder is accountable for the performance, regulatory compliance, and consumer outcomes generated by automated systems?

The FCA’s Equifax action provides a cautionary precedent. The UK subsidiary’s failure to oversee its US parent’s data processing was not, in regulatory terms, a technology failure — it was a management and governance failure for which named individuals at the firm could, in principle, face personal regulatory consequences. As the FCA’s AI supervision agenda matures, the expectation that a named SMF holder attests to the governance fitness of material AI systems will become an explicit regulatory requirement.

The practical implication for firms deploying AI in material decisioning contexts is a governance mapping exercise: for each AI system that affects regulated activities, there must be a named SMF holder who understands the system sufficiently to attest to its governance fitness, has authority to require changes to the system’s configuration or operation, and whose Statements of Responsibilities document AI oversight obligations explicitly.

6. 12-Item FCA AI Compliance Technical Checklist

FCA Consumer Duty & AI Compliance Checklist

Consumer Duty outcome mapping: For each AI system affecting retail customers, document how the system contributes to each of the four Consumer Duty outcomes. Identify where automated outputs could produce foreseeable harm — including low-probability, high-impact failure modes such as systematic misclassification of a specific demographic segment.

Target market definition and model alignment: Under PS22/9 Outcome 1, verify that the AI system’s deployment scope matches the defined target market. A credit scoring model validated on prime-credit applicants deployed to subprime segments without recalibration is a target market misalignment with Consumer Duty implications.

Automated decision explanation capability: Verify that the system can generate plain-language explanations for adverse decisions — not merely model feature weights. Under UK GDPR Article 22 and Consumer Duty Consumer Understanding Outcome, consumers must receive explanations they can act on, not technical documentation they cannot interpret.

Vulnerable customer protocol: The FCA’s Guidance for Firms on the Fair Treatment of Vulnerable Customers (FG21/1) requires that automated systems are capable of identifying and appropriately routing vulnerable customers. Verify that the AI system has a documented pathway for vulnerable customer identification and that automated outputs are not applied without modification to customers who may need enhanced support.

Third-party AI vendor due diligence: Applying the Equifax outsourcing accountability principle, document all third-party AI vendors and cloud infrastructure providers processing UK consumer data. Verify that each third-party relationship is governed by a contract that meets FCA SYSC 13.9 outsourcing requirements, including audit rights, security standards, and incident notification obligations.

DP22/4 model risk documentation: Maintain a model inventory that captures, for each material AI system: training data provenance, model architecture, validation results, known limitations, and the regulatory decisions the model supports. This documentation must be current and retrievable for FCA supervisory review.

Price fairness algorithmic audit: For AI pricing systems, conduct and document a price fairness analysis that assesses whether the pricing algorithm produces systematically higher prices for consumers with protected characteristics or lower financial resilience. The Consumer Duty Price and Value Outcome requires evidence of price fairness that goes beyond regulatory minimum pricing constraints.

Annual Consumer Outcomes Board Review: PS22/9 requires the Board (or equivalent governance body) to review evidence of consumer outcomes at least annually. For AI-driven businesses, this review must specifically assess automated system performance against consumer outcome metrics — not merely operational performance metrics.

AI incident response plan: Document an AI-specific incident response plan covering model failure, significant performance degradation, data breach affecting model inputs, and identification of systematic bias. The plan must include notification timelines aligned with FCA operational resilience requirements (PS21/3) and GDPR breach notification obligations (72-hour reporting window).

SM&CR AI accountability mapping: Identify the named SMF holder accountable for each material AI system. Verify that their Statements of Responsibilities explicitly reference AI system oversight. Document the governance process by which this SMF holder reviews and attests to the fitness of AI systems within their remit.

Complaint-to-model-improvement pipeline: Verify that consumer complaints about automated decisions are systematically reviewed for evidence of model failure or systematic bias. Consumer complaint data is a leading indicator of model performance degradation and is increasingly used by FCA supervisors as evidence of Consumer Duty failures.

Regulatory sandbox consideration for novel AI use cases: For AI applications in financial services that are genuinely novel or for which regulatory requirements are ambiguous, assess whether FCA Digital Sandbox or AI Testing Framework participation is appropriate. Proactive regulatory engagement reduces the risk of retrospective enforcement for good-faith innovation.

7. How Claire Supports FCA Consumer Duty AI Compliance

Claire’s FCA Consumer Duty Architecture

Consumer Outcome Monitoring in Real Time

Claire monitors AI system outputs against Consumer Duty outcome metrics in real time — not annually at Board review. When consumer outcome indicators (refusal rates, complaint rates, adverse decision concentrations by segment) move outside defined tolerance bands, the system alerts designated SMF holders and compliance teams before the FCA’s supervisory processes detect the issue. Early identification of outcome deterioration allows remediation before regulatory exposure crystallises.

Plain-Language Adverse Action Explanation Generator

Claire generates Consumer Duty-compliant, plain-language explanations for automated adverse decisions that satisfy both the Consumer Understanding Outcome under PS22/9 and the UK GDPR Article 22 right to explanation. Explanations are generated at the point of decision, reference the specific factors most material to the outcome, and include a clear articulation of what the consumer could do to improve their position — meeting the actionability standard the FCA expects.

Third-Party AI Vendor Governance Documentation

Applying the Equifax outsourcing accountability framework, Claire maintains a live third-party AI vendor register for each client institution, documenting contractual governance provisions, security standards evidence, audit right status, and incident notification records. When the FCA requests evidence of outsourcing oversight — as it did in the Equifax case — this documentation is immediately available.

SM&CR AI Accountability Mapping Tool

Claire’s governance module maps each material AI system to a named SMF holder, generates accountability documentation aligned with FCA Statements of Responsibilities requirements, and maintains an attestation record showing when each SMF holder last reviewed and confirmed the governance fitness of systems within their remit. This creates the documented governance chain that SM&CR requires and that FCA supervision increasingly inspects.

8. The Trajectory of FCA AI Supervision

The Equifax fine, the Consumer Duty implementation, and the FCA Business Plan 2024/25 AI priorities together trace a clear regulatory trajectory. The FCA is moving from principle-based AI oversight — where firms are expected to apply existing regulatory principles to AI systems — toward outcome-based AI supervision, where the regulator assesses AI systems directly against the consumer outcomes they produce and the governance structures that oversee them.

For financial services firms deploying AI in consumer-facing decisioning, the message is unambiguous: technical compliance with existing rules is necessary but not sufficient. The Consumer Duty standard requires positive evidence that automated systems are delivering good consumer outcomes — and the FCA Business Plan signals that the regulator intends to gather that evidence proactively through supervisory review, data requests, and where necessary, enforcement action.

Assessing your Consumer Duty AI compliance posture? Claire’s FCA regulatory team helps financial services firms map AI system obligations under PS22/9, document governance frameworks that meet DP22/4 expectations, and build the monitoring infrastructure that FCA supervisors will increasingly require. Talk to Claire about Consumer Duty AI compliance.