The FCA’s David Geale said it in three words. Individuals in financial services firms are “on the hook” for harm caused to consumers through AI.
That line sits in the Treasury Committee’s January 2026 report. The same report asked the FCA to publish guidance by the end of 2026 on the level of assurance expected from senior managers under the SMCR for harm caused through the use of AI.
In plain terms: the FCA has confirmed you are responsible, but has not yet told you what “being responsible” actually requires you to do. That part arrives at the end of 2026. Until then, every Head of Compliance and Chief Risk Officer in the country is accountable for something the regulator has not finished explaining.
Why SMCR was never going to bend around AI
The FCA has held the same line since 2023, and it is not a complicated one. The accountability rules that already exist apply to AI the same way they apply to a spreadsheet, a junior adviser, or a bad Tuesday.
No new job title for “the AI person.” No special AI rulebook. No get-out clause that starts with “well, the model decided.”
The whole point of the regime is that the regulator can always find a human being. The agent does not take the call. The named senior manager does.
To see why, you have to know what the regime was built to stop. Before SMCR, when something blew up in a bank, everyone had somewhere to point. The senior manager blamed the culture. The firm blamed the trader. The committee blamed itself, which is a polite way of saying nobody.
SMCR shut those exits. It put a name against each manager’s patch and a personal duty on them to take reasonable steps to stop things going wrong there.
So “the algorithm did it” is just the old dodge wearing a hoodie. The whole point of the regime is that the regulator can always find a human being. The agent does not take the call. The named senior manager does.
So whose name is on it?
First question in the room: who owns the agent?
There is no Senior Management Function for AI, and there is not going to be one. Instead, the agent slots into the functions that already exist, and depending on what it does, three usually end up holding it.
The Chief Executive, or whoever holds overall responsibility for the business area (SMF1 or SMF18). If the agent matters to how the firm runs or where it is going, the buck stops here. This is the person who has to look a supervisor in the eye and explain why the thing was switched on.
Compliance and the money laundering lead (SMF16 and SMF17). They own the rulebook the agent gets marked against. If you cannot show that what the agent said and did lines up with Consumer Duty, anti-money-laundering rules, and conduct obligations, compliance is in the conversation whether they like it or not.
The Chief Risk Officer (SMF4). Risk decides whether the agent is safe to let out, what guardrails sit around it, and who is watching once it is live. When something goes wrong, the evidence that the agent was tested and controlled lands on the CRO’s desk.
Most firms will spread the responsibility across all three, written into a Statement of Responsibilities. The agent does not get its own job title. It gets a human name attached to every stage of its life.
What “doing your job properly” really means
The legal test is ‘reasonable steps’. Not perfect steps. Just the steps a sensible person in that role would have taken, written down while they were doing it, and able to hold up later.
The trouble, is that the FCA has not published the AI version yet. So managers are taking a rulebook written for humans and applying it to software on their own.
Five things keep coming up.
A documented decision to deploy. The named senior manager signs off on the deployment in writing, with the specific controls they relied on listed. “I approved this on the basis of the following evidence” beats “I delegated this to the team” every time.
A pre-deployment evidence pack. Stress testing, failure mode inventory, remediation log, residual risk statement. The senior manager is signing off on the contents of that pack, not the existence of it.
A monitoring regime. What metrics are tracked. What thresholds trigger escalation. Who reviews them and how often. The agent making thousands of decisions a day cannot be assured the same way an adviser making twenty was.
A retrievable audit trail. When the FCA asks why the agent took a specific action with a specific customer six months ago, the senior manager needs an answer. Not a probability distribution. An answer.
An intervention pathway. When the agent behaves outside risk appetite, what happens. Who is alerted, on what timescale, with what authority to act. Post-event analysis is not intervention. By the time the harm appears in the data, the harm has already happened.
A manager who can lay all five on the table, with dates and names, has done their job. One who cannot is holding a problem no clever model will solve for them.
“But we bought it from a vendor”
Most firms running this stuff did not build it. They licensed it. SMCR could not care less.
Your name stays on the hook for what the agent does in the firm’s regulated work, whoever built the model. A contract can move the financial liability around. It cannot move the regulatory liability anywhere. The vendor is an outsider. The senior manager is the regulated human.
Here is the practical sting. All those clauses in the contract, the audit rights, the documentation, the promise to tell you when something breaks, are part of your evidence. A right you never use proves nothing. And an off-the-shelf model with no finance background and no log of what it did cannot be talked into compliance at the last minute.
What happens when the guidance lands?
The FCA has said it will deliver by the end of 2026. We do not know the wording yet, but the direction is not hard to read.
Expect a flat statement that the duty covers AI systems in your area, with no relief for handing the decision to a machine. Expect a clear account of what evidence the regulator wants to see. Expect a few worked examples showing where the line falls.
If your plan is to wait for that document before doing anything, you have misread the clock. Your accountability does not begin when the guidance is published. It began the day the agent went live.
Build your evidence now and the rest of 2026 is spent sharpening it. Wait, and you spend that time assembling the file after the fact, which is a far worse conversation to be having with a supervisor.
When the FCA does call, the agent will not pick up. You will. The only thing that matters by then is whether your answer is already sitting in a file, with your name on it, written long before anyone thought to ask.