Subscribe now

2025 was a pivotal year for AI in financial services. The technology moved decisively beyond pilot projects and proof-of-concepts and became embedded in live operations: fraud detection, customer service, investment analysis, regulatory compliance. What was experimental became operational.

2026 will see that pace accelerate further. More financial services leaders are pushing the button on AI deployment, and the central question has not changed: how do you innovate safely in a heavily regulated industry?

The FCA AI Supercharged Sandbox

The Financial Conduct Authority recognised that tension and responded with the launch of its AI Supercharged Sandbox, an environment enabling safe, responsible experimentation with AI in UK financial services, supported by access to data, compute infrastructure, and direct regulatory engagement.

Digital Regs has been proudly mentoring the first cohort of participants in the areas of digital regulation, privacy law, and their applicability to FCA rules.

What We Discussed in the Sandbox

The questions raised by participating firms were not theoretical. They were the practical, difficult questions that any financial services firm deploying AI will eventually have to answer.

How do you ensure AI-driven decisions are fair and ethical? Fairness in AI is not a single standard, it depends on the context of the decision, the data used to train the model, and the protected characteristics of those affected. Consumer Duty requires firms to demonstrate good outcomes for all customers. That obligation does not pause because a decision was supported by an algorithm.

What does explainability mean in the context of a black box model? The FCA does not currently require firms to be able to explain every individual AI decision in technical terms, but it does require firms to be able to explain outcomes to customers and to demonstrate that models are monitored for bias and change of context that the data was used for training in (drift). Explainability is a governance question as much as a technical one.

How do you validate AI models used in financial crime detection? AML and financial crime detection are areas where AI is increasingly used, and where the consequences of a false positive or false negative are significant. Validation needs to cover model accuracy, bias testing, data quality, and the human oversight process when the model flags or fails to flag a case.

These were not edge cases raised by early-stage startups. They are questions that every firm deploying AI in a regulated context will face. The Sandbox provided a space to work through them with regulatory support before deployment, which is precisely its value.

The Second Intake Has Just Opened

The FCA announced on 21 April 2026 that the Supercharged Sandbox is expanding. The second intake opened on 5 May 2026, with more UK fintechs gaining access to data and NVIDIA compute to build and test their AI products. The FCA’s chief data officer Jessica Rusu cited “unprecedented demand” for the programme.

The Broader Regulatory Context

The Supercharged Sandbox does not exist in isolation. The UK government’s AI Opportunities Action Plan is advancing sector-specific guidance, with financial services identified as a priority area. Meanwhile, UK firms serving EU customers need to understand the extraterritorial reach of the EU AI Act, Article 2 applies regardless of where the deploying firm is based, if the AI system’s outputs are used within the EU.

There is also growing focus on AI insurance. Lloyd’s of London has tightened its approach to AI-related risks, with some insurers excluding certain AI applications from coverage unless proper governance frameworks are demonstrably in place. The implication is direct: if you cannot insure an AI deployment, you should think carefully before making it.

What This Means for Your Firm

For financial services firms, these developments create both opportunity and obligation. The Sandbox offers a genuine pathway to innovation with reduced regulatory uncertainty. But the wider context makes clear that AI governance is no longer optional, nor is it something that should be retrofitted after deployment.

The firms that engage with governance early, understanding their FCA obligations, mapping their data protection requirements, and building oversight into their AI systems from the start, will be better placed to deploy confidently, insure adequately, and demonstrate compliance when regulators ask.

We are grateful to the FCA for the opportunity to contribute to this landmark initiative, and to the first cohort of participants for the quality of the questions they brought to the table.

Digital Regs provides mentoring, governance frameworks, and compliance support for firms deploying AI in financial services. For more information about the FCA AI Supercharged Sandbox, visit the FCA AI Lab page. To discuss how Digital Regs can support your firm, visit digitalregs.com.

References: [1] AI Lab — FCA [2] AI Opportunities Action Plan — GOV.UK [3] EU AI Act, Regulation (EU) 2024/1689 [4] Insuring AI: How Good Governance Can Save You Money — Digital Regs [5] From magnifying glass to drone: using AI to spot reserving risks faster — Bank of England

But recent headlines have also reminded us of an important truth: not every AI tool is ready to be treated as a mature, enterprise-grade product.

What the OpenClaw Incident Tells Us

The emergence of OpenClaw, an AI agent that effectively behaved like a high-privilege employee, showed what can happen when powerful tools are adopted before organisations are ready to secure and govern them properly. The product went viral extremely quickly and then immediately became a major cybersecurity risk and attack target.

This is not a reason to avoid AI agents. Quite the opposite. It is a reason to be more deliberate about which tools we adopt, how we deploy them, and whether our teams are equipped to spot risk early.

New AI tools appear almost every week, promising to save time, reduce costs, and make work easier. Many of them genuinely can. Chosen well, AI is a powerful support for professionals and organisations. But choosing the right tool, in the right way, has become a business and regulatory decision, not just a technical one.

Your Existing Obligations Already Apply

There is no AI-specific law in the UK, but organisations are already expected to comply with data protection, confidentiality, security, and governance requirements that apply directly to how AI is used.

UK data protection law requires organisations to understand what happens to personal data, to keep it secure, and to be able to explain and justify the tools they use. Automated decision-making rules, recently updated, still require care, transparency, and human oversight when technology influences decisions about people.

In the EU, the AI Act makes this even more explicit by placing responsibilities not just on AI developers, but on organisations that choose to deploy AI systems. Any UK firm with EU customers or data flows needs to understand where those obligations begin.

The FCA has been clear in its support for a principles-based, outcomes-driven approach to AI regulation. Financial firms must ensure that how they develop, deploy, and use AI is consistent with the FCA Handbook requirements that apply to their specific business.

The key point is simple: if your organisation decides to use an AI tool, you remain responsible for that choice.

The Risk of Treating Experimental Tools as Finished Products

One of the particular challenges in the current AI market is that many of the most widely discussed tools are not traditional enterprise software products. They may be open source, built by small teams, or designed to run directly on a user’s device. They often change quickly and may not come with the safeguards you would expect from a long-established vendor.

There is nothing wrong with experimentation, innovation depends on it. Problems arise when experimental tools are treated as fully mature products, especially when they are given access to emails, documents, messaging systems, or client data. At that point, what felt like a harmless productivity experiment can quickly become a compliance or security issue.

This is why vendor due diligence has become so important in the AI space. It is about understanding what you are saying yes to.

Questions Your Vendor Due Diligence Should Answer

A sensible review of an AI vendor should address the following:

Where does the data go? Is it stored, reused, or shared with third parties? Does it leave the UK or EU?

What security measures are in place? What certifications does the vendor hold, and how are they tested?

What happens if something goes wrong? Is there a clear incident response process, and does the vendor notify you promptly of breaches?

Can the vendor use your data for their own purposes? Many AI services have terms that permit broad reuse of input data for model training. This is rarely acceptable in a regulated environment.

Who is responsible if there is a breach or failure? Liability limitations in AI vendor contracts are often aggressive. Know your exposure before you sign.

These questions matter because regulators expect organisations to have asked them, and to have documented the answers.

Read the Terms, Not Just the Demo

The terms of business behind an AI tool deserve at least as much attention as its features. Many AI services are written for speed and scale, not for regulated or professional environments. Some allow broad reuse of data. Some limit liability heavily. Some offer very little transparency about how information is processed or stored.

From a legal and regulatory perspective, those terms shape your risk exposure directly. They affect your ability to protect client data, meet confidentiality obligations, and demonstrate accountability if you are ever challenged. A tool that looks impressive in a demonstration can become a serious problem if its contractual terms do not align with your responsibilities.

Staff Awareness: The Overlooked Layer

Many AI risks do not come from bad intentions. They come from people not realising what a tool does or does not do. New regulations, particularly in the EU, now explicitly recognise this by requiring organisations to ensure that staff using AI have an appropriate level of understanding.

In practice, this means teams should be able to recognise when a tool is experimental, when it handles data in unexpected ways, and when something does not feel right. They should know when to pause, ask questions, and escalate concerns. Without that knowledge, even well-intentioned use of AI can create real problems.

Training plays a crucial role. It helps people use AI confidently without being careless. It also helps organisations demonstrate that they have taken reasonable steps to manage AI risks, which is exactly what regulators look for when things go wrong.

In our next post, we will explain why effective AI training needs to be tripartite, covering governance, technical literacy, and practical application, and what that looks like in a financial services context.

What Good Looks Like

Organisations that manage AI well share a few common characteristics.

They distinguish between tools suitable for controlled experimentation and those ready for wider deployment, and they document that distinction. They take vendor due diligence seriously even when a tool is exciting or widely discussed, because asking the right questions early is far easier than fixing problems later. And they invest in training their people, not as a barrier to progress, but as what allows the organisation to move forward with genuine confidence.

Digital Regs helps organisations assess AI tools and vendors from a practical regulatory and data protection perspective, supports AI procurement and due diligence in a way that enables informed decision-making, and delivers training that helps teams use AI responsibly. To discuss how we can help your firm, visit digitalregs.com.

For compliance officersot is a governance challenge with a direct and measurable impact on your firm’s risk management costs.

Why Compliance Officers Need to Act Now

Insurers are introducing Absolute AI Exclusions into policies including Directors’ & Officers’ (D&O) and Errors & Omissions (E&O) cover. This means that any claim involving AI could be excluded entirely, unless your firm can demonstrate robust governance at the point of underwriting.

The Lloyd’s Market Association has warned that systemic risks, such as a flaw in a widely used AI platform, could trigger multiple simultaneous claims across the market, complicating aggregation clauses and making pricing unpredictable. Underwriters are responding by tightening terms and asking harder questions about AI governance before they price a risk.

The practical consequence is straightforward: the quality of your AI governance framework will influence your premiums and determine the scope of your coverage. Firms that cannot evidence their controls may find themselves uninsured for precisely the risks they most need cover against.

What Insurers and Regulators Now Expect

Underwriters and regulators are converging on similar expectations. The firms best positioned for both insurance negotiations and regulatory scrutiny will be those that can demonstrate the following.

Documented AI governance frameworks aligned with FCA and PRA operational resilience principles, an actively maintained framework with named owners and regular review.

Acceptable use policies covering which AI tools are approved, what they may be used for, risk thresholds, and prohibited use cases. These should be specific to your business, generic policies do not satisfy underwriters or regulators.

Human-in-the-loop protocols to prevent unchecked automation in advice, credit decisioning, or client-facing processes. Where AI influences an outcome, a human must be accountable for it.

Data protection controls that address the specific risks AI introduces, including what data may be entered into AI systems, how outputs are stored, and how GDPR obligations around automated decision-making are met.

Staff training on AI use, ethics, bias recognition, and regulatory compliance, documented, role-specific, and regularly updated.

The Strategic Case for Acting Early

Strong AI governance is not just a compliance cost. It is a commercial asset.

Firms that can evidence their controls upfront are better placed to negotiate favourable insurance terms, reduce exposure to regulatory enforcement, and build trust with clients, counterparties, and investors. As AI governance questionnaires become standard in due diligence processes, from insurers, institutional clients, and regulators alike, the firms that have done this work will move faster and close deals more efficiently than those that have not.

Action Plan for Compliance Officers

Audit AI use across all business units. You cannot govern or insure what you have not identified. Map every AI tool in use, including those adopted informally by individual teams, and classify the risks each one presents.

Map AI risks to your existing compliance frameworks. GDPR, SM&CR personal accountability, FCA operational resilience, and Consumer Duty all engage with how AI is used. Your AI governance should connect to these frameworks explicitly, not sit alongside them as a separate exercise.

Engage your insurers early. Provide evidence of your governance standards before renewal. Underwriters are increasingly willing to offer more favourable terms to firms that can demonstrate a mature approach, but only if you make the case proactively.

Prepare for disclosure. Underwriters are introducing detailed AI governance questionnaires as standard. Knowing what to expect and being able to answer confidently is now part of the renewal process.

Digital Regs provides AI governance training, policy drafting, and vendor assessments for financial services firms. If you would like support with any of the above, visit digitalregs.com or get in touch directly.

In financial services, staff may be under pressure to work faster and smarter. It is no surprise that employees reach for AI tools that are easy to access, free to use, and genuinely effective at getting work done. But when those tools are not sanctioned by IT or compliance teams, you have a Shadow AI problem, and with it, a set of risks that most firms have not yet properly mapped.

The good news is that Shadow AI is also a signal. It tells you where your official tooling is falling short, and where your people are motivated to innovate. Forward-thinking firms can use that signal to build something better.

What Is Shadow AI?

Shadow AI refers to the use of artificial intelligence tools outside approved company channels. It is not usually malicious, it is staff trying to do their jobs more effectively. But the consequences of unsanctioned AI use in a regulated environment can be serious: sensitive client data entered into external AI systems, outputs used in client-facing decisions without oversight, and compliance obligations breached without anyone realising.

In financial services, where GDPR, FCA rules, and Consumer Duty all place specific obligations on how data is handled and how decisions are made, the gap between what staff are doing and what compliance teams know about is a material risk.

Why Shadow AI Happens

Understanding the cause matters before you can address it effectively. Shadow AI typically emerges for three reasons:

Official tools are too slow or too restrictive. If the approved route to getting something done involves multiple sign-offs or outdated software, staff will find a faster way.

People want to solve problems and innovate. This is a positive instinct. The staff most likely to use Shadow AI are often the most capable and motivated in your firm.

AI tools are widely available and easy to use. The barrier to accessing a capable AI tool is now extremely low. A browser and a free account is all it takes.

This combination means Shadow AI is not a problem you can solve through prohibition. Banning tools without addressing the underlying need simply drives the behaviour further underground.

Five Practical Steps to Turn Shadow AI into an Opportunity

1. Engage your team

Start by finding out what is actually happening. Ask staff which AI tools they use, for what tasks, and how frequently. Do this without creating a culture of blame, you want honest answers. Most people are not trying to circumvent compliance; they are trying to do their jobs. Their answers will tell you where the gaps in your official toolkit are, and which tools are genuinely adding value.

2. Shortlist and assess

Once you have a picture of what is in use, identify the tools that are most widely used and most valuable to the business. These become candidates for formal adoption but only after proper assessment. Conduct vendor risk assessments covering data security, processing locations, contractual terms, and the vendor’s own compliance posture under GDPR and, where relevant, the EU AI Act. A tool that works well is not the same as a tool that is safe to use with client data.

3. Train and monitor

Approval is not the end of the process. Staff need to understand what approved tools can and cannot be used for, what data is permissible to input, when human review of AI outputs is required, and how to escalate concerns. Build monitoring into your infrastructure so you have visibility of AI tool usage across the business. The FCA expects firms to be able to demonstrate oversight of the AI systems they use.

4. Set clear policies

A Shadow AI policy should cover which tools are approved, which are prohibited, the consequences of using unapproved tools with personal or confidential data, and how staff can suggest tools for assessment. Keep policies current, the regulatory landscape is moving quickly and a policy written in 2023 is unlikely to reflect your obligations today.

5. Stay ahead of regulation

GDPR, the FCA Handbook, Consumer Duty, (and the EU AI Act if your business has some connections with the EU) all have implications for how AI is used in financial services. Regulatory expectations around AI governance are developing throughout 2026. Build a regular review of regulatory developments into your compliance calendar so your framework keeps pace.

The Key Risks, Mapped!

For firms that do not address Shadow AI proactively, the exposure includes:

Data security breaches: client or employee data entered into external AI systems may be used to train those systems, stored in jurisdictions without adequate data protection, or exposed in a breach.

Regulatory non-compliance: GDPR lawful basis requirements, FCA Consumer Duty obligations, and SM&CR personal accountability all potentially engage when AI influences decisions or processes personal data.

Unreliable or biased outputs: AI tools used without oversight and underlying knowledge can produce outputs that are factually wrong, discriminatory, or inconsistent. In lending, advice, or risk assessment contexts, this is a serious concern.

Reputational damage: a single incident involving unsanctioned AI use and client data can move quickly. The reputational consequences of a data incident in financial services are rarely contained.

The Opportunity

Financial firms that engage with Shadow AI thoughtfully, mapping what is happening, assessing the tools their staff want to use, building governance around the best of them, and training their people properly, end up in a stronger position than those that either ignore the problem or simply prohibit everything.

The drive to innovate is an asset. Governance is what makes it safe to act on.

For support with AI vendor assessments, Shadow AI policy development, or staff training on responsible AI use in financial services, visit digitalregs.com.

The ICO investigated and found that Mr Blake had breached his legal obligations under Section 173 of the Data Protection Act 2018, a criminal offence involving the concealment of information to prevent disclosure.

This was not a data breach. It was not a cyberattack. It was a failure to follow basic data protection procedure, and it ended in a courtroom.

GDPR enforcement is real. And for financial services firms, the risks are considerably greater.

How Financial Firms Attract ICO Scrutiny

Financial firms are particularly vulnerable to ICO attention because of the volume and sensitivity of personal data they process, client financial histories, transaction records, investment profiles, and more. There are four primary pathways to regulatory scrutiny.

Direct complaints from individuals Clients or employees can lodge complaints about mishandled personal data, delays in responding to DSARs, inadequate responses, or persistent unsolicited marketing in breach of PECR. In financial services, complaints often stem from unauthorised sharing of investment profiles or failure to honour opt-out requests.

Media exposure High-profile coverage in outlets such as the Financial Times or BBC can amplify regulatory pressure rapidly. Stories about data breaches involving customer accounts, or algorithmic bias in lending decisions, can trigger ICO interest even without a formal complaint.

Internal referrals within the ICO If one ICO team identifies red flags, during a routine audit or a cyber incident report, they may escalate to specialist units. This is particularly relevant where financial regulation and data protection overlap.

Self-reporting Proactively notifying the ICO about a breach or compliance issue can itself initiate an investigation. In financial services this may involve phishing attacks on banking systems or leaks of AML data.

Even if a complaint does not lead to formal enforcement, it is recorded and contributes to your firm’s compliance profile. The ICO may request clarifications, recommend policy improvements, or in serious cases pursue regulatory action.

How the ICO Investigates

If scrutiny intensifies, your case may involve several ICO specialist teams:

Civil Investigations Team (CIVIT) handles non-criminal GDPR violations, such as inadequate data security in client onboarding.

Criminal Investigations Team (CRIT) investigates offences including unlawful disclosure of personal data or altering records to evade disclosure. They can execute search warrants, a scenario with the potential to disrupt operations across back, middle and front office.

Cyber Incident Response Team (CIRIT) focuses on breaches such as ransomware attacks on financial databases.

Privacy and Digital Marketing Investigations Team (PDMI) addresses spam and unsolicited communications, common in cross-selling financial products.

Financial Investigation Unit (FIU) pursues unpaid fines and ensures accountability for non-compliance.

Case officers assess the severity of the breach, the sensitivity of the data involved, the number of individuals affected, your response speed, and your overall compliance history. In financial services, where data obligations intersect with FCA rules and AML requirements, these assessments are particularly rigorous.

ICO enforcement tools range from advisory recommendations to binding notices requiring immediate action, or fines of up to 4% of global annual turnover or €20 million, whichever is greater.

Aggravating factors the ICO will consider include:

• Insufficient technical measures, assessed proportionally to the sensitivity of data held

• Lack of DPO independence or inadequate DPO training

• Poor staff awareness and insufficient training programmes

• Prior infringements

• Limited cooperation with the investigation

• Inadequate mitigation efforts

Litigation Risk: Beyond the ICO

Even without ICO action, individuals can sue for compensation under GDPR Article 82, claiming non-material damages, such as distress arising from a data leak affecting their credit score.

Legal professionals at a leading international City law firm have flagged inadequate training as a critical vulnerability, one that strips firms of their first and most effective line of defence in regulatory investigations. Courts will scrutinise your compliance culture. Robust, documented training for DPOs and staff is a tangible legal defence, not just a regulatory box-tick.

5 Signs Your Privacy Training Is a Liability

1. Your DPO cannot explain how GDPR overlaps with FCA rules In financial services, data protection does not operate in isolation. If your DPO cannot articulate how GDPR interacts with Consumer Duty, SM&CR, or FCA operational resilience requirements, your training has gaps.

2. Training has not been updated since 2022 The regulatory landscape has changed significantly. The Data (Use and Access) Act 2025, updated ICO guidance, and the intersection of AI with data protection all require your training to reflect the current environment.

3. Staff cannot recognise a DSAR A data subject access request does not need to use formal language. If your front-line staff do not know how to identify one and escalate it correctly, you are exposed.

4. You rely on generic e-learning modules Off-the-shelf data protection training does not address the specific scenarios your teams face, from client investment data to AI-assisted decisions. Generic training is not a defence.

5. You have no documentation of DPO advice or training logs If you cannot evidence that training happened, that advice was given, and that issues were recorded and addressed, you cannot demonstrate a compliance culture to either the ICO or a court.

Building a Resilient Compliance Culture

To handle individual requests efficiently and stay ahead of ICO scrutiny, financial firms need a proactive approach:

• Maintain up-to-date, sector-specific policies that reflect FCA and GDPR obligations together

• Empower your DPO with the resources, authority, and independence to do their job

• Document all training, advice, and remedial actions, if it is not written down, it did not happen

In financial services, where GDPR overlaps with FCA principles, AML directives, and increasingly with AI governance requirements, generic training is not sufficient. Tailored, documented, regularly updated training is what turns a potential vulnerability into a compliance strength.

To find out more about sector-specific GDPR training for financial services firms, AI governance training, or AI vendor risk assessments, visit digitalregs.com.

References: [1] Jason Blake, ICO [2] & [3] Investigations, ICO [4] Relevant aggravating and mitigating factors, ICO

The UK Government’s Five AI Principles

The UK government has confirmed five principles applicable to AI systems operating in the UK:

1. Safety, security and robustness

2. Appropriate transparency and explainability

3. Fairness

4. Accountability and governance

5. Contestability and redress

These are deliberately broad. Some interpretation guidance has been provided in the Government’s policy paper A pro-innovation approach to AI regulation, but firms should not wait for prescriptive rules before acting. The direction of travel is clear: boards and senior managers are expected to own AI risk.

What About the EU AI Act?

If your organisation operates in any capacity within the EU, whether through data processing, partnerships, or service delivery, you may also be subject to the EU AI Act. The high-risk provisions apply from August 2026. Understanding where your obligations begin and end is not optional.

A Five-Point Checklist for Leaders Implementing AI

Governance does not need to be complicated to be effective. Here is a practical starting point.

1. List all your AI systems and classify their risks

You cannot govern what you have not identified. Start with a full inventory of every AI tool your organisation uses, including those adopted informally by individual teams. Classify each by risk level: what decisions does it influence, whose data does it process, and what happens if it fails or produces a biased output?

2. Conduct or update your vendor assessments

If you are using third-party AI tools, your vendor assessments need to reflect AI-specific risks, data handling, model transparency, contractual protections, and the vendor’s own compliance posture. A standard IT due diligence questionnaire is not sufficient.

3. Review your training programmes from a compliance perspective

Most financial services firms have AI policies. Fewer have staff who know what to do with them. Training should cover what AI tools are approved for use, what data can be entered into them, when human review is required, and how to escalate concerns. Generic AI awareness training is not enough for a regulated environment.

4. Set up a regular monitoring infrastructure

AI systems drift. A model that performed well at deployment may produce different outputs over time as data patterns change. Build in regular review points, and document them. Regulators will want to see evidence of ongoing oversight, not just a one-time sign-off.

5. Monitor regulatory developments

The regulatory landscape for AI in financial services is moving quickly. The FCA has committed to publishing examples of good and poor practice later in 2026, following its AI Lab testing programme. DORA operational resilience requirements are live. The EU AI Act high-risk provisions apply from August. Staying informed is part of your governance obligation.

The Bigger Picture

Regulatory scrutiny of AI in financial services will increase throughout 2026. The firms that build governance into their AI implementation now, rather than retrofitting it later, will be better placed when that scrutiny arrives.

How does your AI governance compare to peer institutions? And how are you building competitive advantage through compliance excellence?

If you would like practical support implementing AI governance in a way that is cost-effective and proportionate to your firm, visit digitalregs.com.

Reference: A pro-innovation approach to AI regulation, GOV.UK