On 27 January 2026, the Financial Conduct Authority launched what most boards have not yet treated with the seriousness it deserves. The Mills Review — led by Sheldon Mills, the FCA’s Executive Director responsible for the Consumer Duty and the regulator’s competition obligations — is the most consequential signal the UK’s principal financial regulator has sent about its supervisory approach to artificial intelligence in nearly a decade. It is not a consultation paper. It is a strategic stocktake, with recommendations going to the FCA Board in summer 2026 and a public report to follow. By the time most firms read that report, the window for proactive positioning will already have begun to close.

For the large incumbents — the high-street banks, the listed insurers, the Big Four advisors who already sit in their committee rooms — the implications of the Review are being actively socialised. Board papers are being written. Heads of AI are being hired. Regulatory submissions were filed by the 24 February deadline.

For the mid-market — the £500m to £5bn revenue insurers, specialist lenders, wealth managers, asset finance firms, mid-tier building societies, and the trust and corporate services entities that make up the operational backbone of UK financial services — the picture is different. The Mills Review names few of these firms specifically. Their regulatory exposure is not systemic in the FPC’s terms. They are not subject to the same supervisory cadence as the top six. And yet, when the FCA’s recommendations land in the summer and the supervisory expectations shift, mid-market firms will face the same compliance bar with materially fewer resources, less in-house regulatory capacity, and considerably less time.

This is a briefing for those firms. It is not a regulatory summary — the law firms have produced excellent ones, and we list them in the sources. It is an operational briefing for the COO, the Chief Risk Officer, the Head of Operations, and the executive sponsor of whatever the current AI programme is called inside the firm. It is structured around four questions. First, what is the Mills Review actually doing, and why does it matter now rather than in 2030? Second, where do the existing accountability frameworks — SMCR and the Consumer Duty — bend most uncomfortably under autonomous decision-making? Third, what should a mid-market firm be doing between now and the summer report? And fourth, how do we know we are looking at the right problem?

What the Mills Review actually does

The Review’s stated scope is the long-term impact of AI on retail financial services — that is, services provided to retail consumers and SMEs, with wholesale markets formally out of scope. But the regulatory thinking it embeds will, in practice, ripple across the whole sector. Mills himself is not just any FCA executive director: he is the senior official responsible for delivering Consumer Duty, the most consequential rewrite of conduct expectations the FCA has produced this decade. When he is asked to lead a review of AI’s long-term impact, that is not a neutral appointment. It is a signal that the FCA’s approach to AI will be channelled through the same outcomes-focused, principles-based lens that defines Consumer Duty — and that the language of “good outcomes for retail customers” will be the standard against which agentic deployments are measured.

The Engagement Paper, published with the Review, organises the inquiry around four interrelated themes. Each one tells you something about where supervisory attention will sharpen.

The Review’s posture is deliberate, and worth reading carefully. The FCA has stated — through Nikhil Rathi as recently as December 2025 — that it will not introduce AI-specific rules. The regulator’s reasoning is that AI evolves on a three-to-six-month cycle, far faster than primary legislation can adapt, and that prescriptive rules would either become obsolete quickly or constrain UK competitiveness. Instead, the FCA is doubling down on its principles-based approach, asking whether existing frameworks — written for a world in which decisions were made by named human beings — can stretch to cover decisions made by agents acting at machine speed.

The Mills Review is the structured test of that question. By summer 2026, the FCA Board will receive Mills’s recommendations. By Q3 2026, we expect “Dear CEO” letters, supervisory guidance, and the first wave of clarifying material on SMCR accountability for AI systems. By the end of 2026, the FCA has formally committed to publishing comprehensive practical guidance on how Consumer Duty applies to AI, and on the level of senior-manager assurance expected under SMCR for harm caused through AI. That is the timeline the mid-market firm needs to plan against.

There is one further development worth holding in view. One week before the Mills Review launched, on 20 January 2026, the House of Commons Treasury Select Committee published a critical report concluding that UK financial regulators were taking too cautious a “wait-and-see” approach and were thereby exposing consumers and the financial system to “potentially serious harm.” HM Treasury, the Bank of England, and the FCA each responded in April. The regulators pushed back on the wait-and-see characterisation but accepted the underlying pressure. The political backdrop, in short, is one of increasing parliamentary scrutiny. The Mills Review will land in a climate where the FCA needs to demonstrate that its principles-based approach is genuinely producing supervisory bite.

Where the accountability frameworks bend

For the mid-market COO and CRO reading this, the most operationally consequential dimension of the Review is the fourth theme: the FCA’s intention to assess whether SMCR and Consumer Duty remain fit for purpose. To understand where the pressure points are, it helps to look at the joint research the Bank of England and the FCA published in late 2024, which produced a number that has only become more interesting with time. Of UK financial services firms surveyed, 75 percent reported using AI in some form. But only 2 percent of those AI use cases ran without human sign-off on individual decisions.

That number tells you two things at once. It tells you that AI deployment is broad but shallow: firms have adopted AI tooling at scale, but the vast majority of consequential decisions are still being mediated by a human reviewer at some stage. And it tells you that the SMCR accountability question, for now, has been ducked. Where there is a human in the loop, the named Senior Manager can still credibly claim to be exercising oversight. Where there is not — where the agent acts, decides, and concludes a customer interaction autonomously — the framework strains, because Senior Manager Conduct Rule 2 requires named individuals to take “reasonable steps” to ensure effective control of their area, and at agent speed and scale, the steps that constitute reasonableness become much harder to articulate.

This is the structural issue the Mills Review will not be able to ignore. Three specific operational pressure points are worth naming.

Pressure point one: the reasonable-steps problem

For agent-mediated decisions, what does a Senior Manager actually do to discharge their conduct rule responsibility? Reading every decision is impossible. Sampling decisions is necessary but insufficient. The honest answer is that the Senior Manager must rely on the design of the system — confidence thresholds, escalation triggers, exception conditions, monitoring dashboards, periodic governance reviews — and on a documented audit trail that allows any individual decision to be reconstructed on demand. The supervisory question that will follow Mills is whether your system design is itself reasonable, and whether the Senior Manager who signed off on it could explain its constraints to an FCA case officer.

Pressure point two: the consumer outcomes problem

Consumer Duty requires firms to monitor and evidence consumer outcomes on an ongoing basis. Specifically, firms must be able to demonstrate that their products and services deliver good outcomes across four outcome categories — products and services, price and value, consumer understanding, and consumer support. When the decision-making, the recommendation, or the support interaction is being delivered by an agent, the firm’s ability to produce that evidence has to be designed in from the start. Agent decisions need to be logged not just at the level of the final outcome, but at the level of the reasoning trace, the data inputs used, and the policy constraints applied. Most mid-market firms today have no such architecture. Their MI was designed for human-mediated processes, and the agent-mediated equivalent does not yet exist.

Pressure point three: the second-line problem

Effective challenge of AI systems requires a second-line risk function with the technical literacy, the tooling, and the independence to challenge the first-line teams who deployed them. The Bank of England’s February 2026 roundtables with regulated firms found that second-line risk functions are, in general, approaching agentic AI cautiously — which is to say, they are not yet equipped to provide the kind of substantive challenge the regulatory framework assumes. The result is bottlenecks in deployment without resolution of the underlying control gap. For the mid-market firm, this is doubly difficult: the second-line function is often thinly staffed, and the technical literacy to challenge an agentic system is in short supply industry-wide.

What a mid-market firm should be doing now

The natural response of a senior team reading the above is to wait for the FCA’s summer recommendations and respond to them when they land. That instinct is wrong, for two reasons. First, the recommendations will be principles-based, not prescriptive. They will not tell you what to build; they will tell you what outcomes you must be able to demonstrate. Translating outcomes into operating-model change takes months, not weeks — and the firms that begin that translation now will be visibly more prepared in any supervisory dialogue that follows. Second, the supervisory tempo is itself accelerating. The PRA has named AI as a 2026 supervisory priority. The FCA’s biennial AI adoption survey is being re-run this year. The signal value of being able to articulate a coherent operating-model response in front of a supervisor in late 2026 will be significant; the cost of being unable to will rise sharply.

We therefore advise mid-market firms to use the next seven months not for compliance preparation but for operating-model honesty. The Mills Review is, at its core, a question about whether your existing frameworks bend in the right places when agentic systems take on more of the work. The honest answer for most firms is that they do not know — because they have never mapped the structural relationship between their AI deployments and the accountability architecture that wraps them. The recommended starting position is therefore to conduct a structured diagnostic, ideally before the summer, against the four dimensions that the Review’s own thematic structure makes clear:

We have built the diagnostic instrument that sits behind these four questions — the Fuchsia Agentic Operating Model — and we publish it openly because the worst outcome for the sector is for firms to arrive at the autumn supervisory cycle unprepared. The questions matter more than the brand on them. What matters operationally is that a structured response exists, that an executive sponsor owns it, and that the firm has visibly invested in answering it before the summer.

A note on how to approach this

For boards that have not yet had this conversation, three practical observations are worth offering.

The first is that the right convening forum is not the technology committee. It is the operations or audit committee, or a specifically constituted sub-committee of the board, because the question is not what to build but how the firm wishes to be governed. Where this conversation is run through the CTO or Head of AI alone, it tends to converge on platform decisions and vendor selection — both of which are downstream of the operating-model question and considerably less consequential. Where it is run through the COO, CRO, and Chief Compliance Officer jointly, with the CTO supporting, the conversation tends to surface the SMCR, Consumer Duty, and operational resilience tensions that the Mills Review will eventually formalise.

The second is that the worst response is the comprehensive one. Firms that attempt to address all four dimensions simultaneously, across every AI deployment in the estate, generally produce a programme that takes eighteen months to define and then quietly stalls. The pattern that tends to work is to pick one workflow — ideally one already in pilot — and to use it as the structural test case: redesign the operating model around it, work through the SMCR and Consumer Duty implications, produce the governance architecture that surrounds it, and only then generalise the pattern. A working example, even on a small scale, is worth more in a supervisory dialogue than a strategy document covering everything.

The third is that platform choice is not the urgent question. By the time the Mills Review’s recommendations land, the platform landscape will look different again. The hyperscalers will have launched new agentic capabilities. The model providers will have rolled out new versions. The Microsoft Copilot Studio, Google Gemini Enterprise, and Salesforce Agentforce roadmaps will have continued to evolve. The operating-model questions — where judgement sits, how learning compounds, who is accountable — are more durable. They are also where most agentic programmes fail. The FCA, in our reading, knows this. The Review is structured to assess exactly these durable questions.

A final thought

The Mills Review will be read, in time, as a turning point in how the UK regulator approached AI in financial services. Its specific recommendations will matter, but its tone may matter more. The FCA is not asking firms to wait. It is asking firms to demonstrate that they have thought about the structural relationship between autonomous decision-making and existing accountability frameworks — and it is reserving the right, through ordinary supervisory channels, to follow up on that thinking long before any new guidance is published.

For the largest firms, the response is already underway. For the mid-market, the question is whether the next seven months will be used — or whether the firm will arrive at the summer report having waited, and will then find itself trying to do in three months what it should have done in nine.

Most firms, in our experience, will wait. A small number will not. The difference between those two groups, at the next FCA Periodic Summary Meeting, will be material.