ChatGPT in UK financial services: what the FCA changed

On Friday, the FCA, the Bank of England and HM Treasury put out a joint statement on frontier AI models and cyber resilience.

If you work in a UK bank, asset manager or insurer, you've probably already had it forwarded to you twice. Maybe with a one-line "thoughts?" from someone senior. Maybe with a forwarded compliance note that didn't really say what to do.

This piece is for the person who has to give the actual answer. Specifically, the senior individual contributor at VP, Director or MD level, who's been quietly letting their team use ChatGPT for the last twelve months and now has to work out what changes on Monday morning.

The short version: the regulators haven't banned anything. They haven't even introduced new rules. But they've made it harder to pretend the existing ones don't apply to ChatGPT in UK financial services.

What the FCA, Bank of England and HM Treasury actually said

The 15 May statement is short. It's worth reading in full rather than relying on summaries. But the substantive moves are these.

First, the statement is centrally about cyber resilience. The regulators' specific concern is that frontier AI models now exceed what a skilled human attacker could do, at greater speed and lower cost. The framing is financial stability. That word is in the same risk category as a large bank failing or a major payment system going down. It's not a category any regulator uses casually.

Second, the supervisory expectation is that boards and senior management have sufficient understanding of frontier AI risks. The statement explicitly says it does not introduce new regulatory requirements. It brings together existing expectations and reinforces them in light of how fast the operating environment is changing.

Third, the practical effect is that the personal accountability your firm's senior managers already carry under SMCR now has to extend to any frontier AI in use. That includes ChatGPT, Claude, Copilot, Gemini and any other model your team is paying for. Internal models too, but the third-party stack is the part most existing AI policies haven't caught up with.

So the regulator has not said you can't use ChatGPT. It has said that if your team is using it and something goes wrong, the firm needs to point at a named senior person who was responsible for making sure it was being used properly, and that person has to be able to speak to it.

The 1,000-alerts problem

There's a story doing the rounds that captures the regulators' concern almost perfectly.

A global manufacturing group recently found that more than 1,000 of their AI-generated compliance alerts had been cleared in under a minute. No reviewer could explain why any individual alert had been dismissed. The audit trail looked clean. The decisions weren't.

Replace "manufacturing group" with "tier-one investment bank" or "FTSE 100 insurer" and you can see why the FCA, Bank of England and HM Treasury are now writing joint statements.

The problem isn't that AI made the decisions. It's that nobody can reconstruct why. And under SMCR, that's the version of the problem the regulator cares about most.

If a senior manager is asked, six months from now, "what was the basis for clearing those 1,000 alerts?", and the only honest answer is "the tool did it", that is now a regulatory issue with their name on it. Not the vendor's. Not the model's. Theirs.

Can your team still use ChatGPT at work in financial services?

Yes. With caveats that aren't actually new. They just have more teeth now.

The realistic answer is some version of:

Your firm almost certainly has an existing AI policy. Most large UK financial institutions wrote one in 2023 or 2024. It probably allows tools like ChatGPT, Claude or Copilot for non-confidential tasks: drafting, summarising public material, brainstorming, learning. It probably restricts client data, MNPI, regulated submissions, and anything that ends up in a regulated document.

What the FCA statement does is shift the burden. The default assumption used to be that the policy was enough. The new assumption is that the policy is the floor, and the firm has to be able to show the policy is being followed, by named people, with evidence.

Which is a much harder bar.

In practice, the question I now get asked most often in 1-2-1 sessions with senior finance people is some version of: "We've been using ChatGPT informally for a year. How do I work out what's actually happening on my team's machines, and whether any of it is going to come back to me?"

It's a good question. And in most cases, no one has actually sat with the people involved and asked.

What changes for senior finance professionals this week

Three things, roughly in order of urgency.

One: assume someone is going to ask you what your team is doing with AI.

If you're a VP or above in a regulated UK financial services firm, this is no longer a hypothetical. Internal audit, compliance, your own line manager, or eventually the regulator itself, is going to ask. The right time to have a clear, specific answer is before the question lands.

Specific looks like: which tools are being used (ChatGPT free, ChatGPT Team, Claude, Copilot, something else), by which people, for which kinds of task, with which kinds of inputs.

"I think most of them use ChatGPT sometimes" is not a defensible answer.

Two: separate the tools you can speak to from the ones you can't.

There is a real difference between an enterprise-licensed ChatGPT Team or Claude for Work deployment, where your firm controls retention, logging and data residency, and the consumer ChatGPT account someone in your team set up with their work email last spring.

Under the new statement, both count. But your governance position is very different depending on which one you're talking about. The first is auditable. The second isn't.

If you don't know which one your team is using, that's the first thing to find out.

Three: get yourself fluent in the tools, fast.

I'll be honest. This is the one most senior finance professionals duck.

If you're an MD in capital markets, you didn't get to where you are by being the person in the room who didn't know what was going on. But for AI specifically, a lot of senior people have outsourced the question. To their juniors, to their COO, to "the tech team", to a vendor.

That worked when AI was a productivity-tool conversation. It does not work when it's a personal accountability one.

The senior manager who can sit down and say "I've used the tool, I know what it can and can't do, here's how my team uses it, here's the evidence we keep" is in a different position from the one who can't. SMCR is built around the assumption that the senior person can speak to the substance, not just the org chart.

What I do in a 1-2-1 with senior finance professionals on this

The clients I'm working with right now in banking, asset management and insurance tend to want some version of the same conversation. So the session ends up shaped around three things.

We sit down with whichever AI tool they're actually paying for, whether that's ChatGPT, Claude, Copilot or all three, and use it on a real task they brought with them. Not a demo task. Their pitch book outline. Their internal memo. Their KYC summary. Their regulatory response draft. Whatever's open in another tab.

Then we work through what the tool can and can't be trusted with. Not in the abstract. Specifically, with the firm's actual data sensitivities. We talk about where the prompt goes, what gets logged, what the tool was trained on, and where the failure modes are. The Klarna story comes up a lot here. The one where they replaced 700 customer service agents with AI and then quietly hired humans back. It's the cleanest example I know of the gap between vendor pitch and operational reality.

And then we work on the governance answer. The deliverable is a single sentence the senior person can actually say out loud, in front of compliance or their own line manager, instead of yet another policy document filed away in SharePoint.

Recently I sat with a director at a UK insurer whose team had been using consumer-account ChatGPT informally for the better part of a year. We spent the hour mapping which tools, which people, and which kinds of input; by the end she had a single sentence she could actually say to her line manager about what was happening and who owned it. That's the deliverable.

The honest take

The FCA statement isn't a regulatory cliff. UK financial services has been heading towards exactly this position for two years.

What it does is collapse the timeline. The conversations that "we'll need to have at some point in 2026" are now this quarter. Which AI tools are actually in use. Who's accountable. Whether the people whose names are on the policy can speak to what their team is doing.

If you're a senior individual contributor in a regulated UK firm and you've been hoping this would resolve itself, it won't. The friendliest version of the FCA statement is still saying: be ready.

That's a manageable position. It's just not an ignorable one.

If you want a hand getting ready

I run 90-minute 1-2-1 AI training sessions with senior professionals in UK financial services. Bespoke, confidential, on the tools your firm is already paying for.

The £699 1-2-1 is for the case described above: the question is personal, the stakes are SMCR-shaped, and you want a quiet hour with someone who'll be honest about what your tools can and can't be trusted with.

If you'd rather start smaller, the £199 Power Hour is a 60-minute productised version focused on a single prescribed task. For a finance professional, the most useful one right now is a clean version of the "what's my team actually doing with AI?" audit.

If you're not sure which is right for you, message me. I'll tell you honestly.

Book a 1-2-1 · Book a Power Hour