Insights

The Mills Review and the governance response

Imagery of binary data going through a tunnel

What the FCA's review of AI in retail financial services mean in practice, and how it maps to S&W's governance framework for firms.


In summary:

  • The Mills Review published by the FCA earlier in July outlines how AI may reshape retail financial services for consumers, firms, markets and regulators
  • It notes that as reliance on AI increases, effective governance becomes a key practical constraint on safe adoption
  • In many ways, the review aligns closely with our new AI governance framework, which provides firm-level guidance for adapting to the changes the review predicts
  • Firms must begin to put in place agentic controls, determine operator roles and carefully consider limits and controls for autonomous operations

The Mills Review overview

The Mills Review, published by the FCA this month, sets out how artificial intelligence could reshape retail financial services by 2030 and beyond. Its organising idea is an autonomy spectrum, along which the human role moves from operator, through collaborator, consultant and approver, to observer, as AI takes on more of the work. The same technology carries different benefits and risks depending on where the human sits, and the key issues shift from accuracy and reliance towards consent, accountability and redress as delegation increases.

The review identifies four system shifts to 2030: AI becomes core to how firms operate; consumer journeys become agent-led; competition is reshaped around control of the AI-mediated interface; and financial crime and cyber risk are amplified. It concludes that the UK's principles-based, outcomes-focused framework remains sound and needs progressive adaptation rather than replacement.

It also makes seven recommendations to the FCA board covering the regulatory perimeter, system-wide coordination, the transition to autonomous models, the FCA's AI Lab, the foundations for agentic finance, an AI-enabled supervisory model, and a public-interest financial capability service.

Our view on the review

The review supports our view that, as delegation to AI increases, accountability becomes harder to trace and governance becomes the practical constraint on safe adoption. This is the challenge our AI governance framework was built to manage. A detailed, 40-page policy framework, it is designed to enable businesses to explore and innovate with AI tools, while controlling the risks.

The Mills Review makes that case at the level of the market and the regulator, while our firm-level governance framework outlines how an individual organisation responds to it.

For firms, the strategic message is that AI governance is no longer a compliance overhead. It is the capability that determines how quickly and how safely AI can be adopted, and increasingly it is a source of competitive advantage. The review says as much, observing that firms able to evidence auditability, testing, clear permissions and effective monitoring will deploy AI more confidently than those that cannot. Our framework provides an operating practice for addressing that challenge.

As delegation to AI increases, accountability becomes harder to trace and governance becomes the practical constraint on safe adoption.

Where the review and our framework align

On almost everything within a firm's own control, the review and our framework describe the same problems (albeit from different perspectives) and propose the same or similar controls. 

The strongest alignment is on the agentic frontier. The review devotes an annex to the building blocks of agentic finance, identity, mandates, authority to act, liability and audit. It warns that prompt injection and agent-to-agent interaction are risks already realised in practice. Our framework addresses each of these, from the separation rule and distinct agent identity to credential-layer enforcement, connector and Model Context Protocol approval, multi-agent composition and a tested kill switch. 

A firm that has implemented this section of our framework will have already built much of what the Mills Review says the market now needs.

The table below sets out the main points of alignment.

Where the review looks above the firm

Not everything in the review can be answered by a firm's own governance. As an advisory review for a regulatory body, unsurprisingly many of its themes and recommendations sit at the level of the market or the regulator. Our framework, by design, does not try to solve these issues, since firms cannot control them, but they should monitor them and prepare for them.

The first is the regulatory perimeter and the AI-mediated interface. The review's central competition concern is that general-purpose tools such as ChatGPT, Claude and Gemini increasingly shape consumer decisions from outside the perimeter, and that whoever controls the interface between the consumer and the market gains real power.

A firm's framework governs its own AI, but it cannot govern this perimeter. What firms can do is track where the boundary moves and how their products are represented to the agents and interfaces that customers increasingly use.

Firms should anticipate a shift away from periodic returns towards continuous, structured supervisory data.

The second issue is the demand that an AI-enabled regulator will place on firm data. The review's proposed agentic supervisory model depends on firms providing timely, structured, machine-readable data so that risks can be detected across the market in near real time. Our data governance and logging controls support this, but firms should anticipate a shift away from periodic returns towards continuous, structured supervisory data, and prepare their data estates accordingly.

The third is cyber risk at machine speed. The review observes that frontier models can now identify and exploit vulnerabilities in real-world software, and argues that defence will need to operate at machine speed. Cyber security is not explicitly in scope for our AI governance framework. Conventional security controls remain necessary, but firms that have underinvested in cyber fundamentals will be increasingly exposed, and defensive capabilities will themselves need to become AI-enabled.

The final issue is the proposed public-interest financial capability service. This is a market development rather than in a firm’s control, but it will shape what clients and customers come to expect of free, trusted, AI-enabled guidance. Firms should factor that expectation into how they position their own services.

What firms should do now

Reading the review in the context of a working governance framework points to a small number of practical priorities:

  • Treat governance as a capability, not a gate. Put the velocity mechanisms in place early, so that low-risk use is enabled quickly and scrutiny is concentrated where it matters. Governance that becomes a bottleneck simply pushes AI use into the shadows, as the review warns
  • Build the agentic controls before the agents arrive. The review’s building blocks for agentic finance and our framework’s Section 9 describe the same set of controls. Firms that establish agent identity, least privilege, the separation rule and a tested kill switch before deployment will adopt agents safely, while those who retrofit will not
  • Determine operator role and jurisdiction per use case. The review confirms that regulatory approaches are diverging. Each use case with an EU element should record its EU AI Act operator role, and the applicable data-protection regime should be determined per use case rather than assumed
  • Protect the reviewer. As autonomy rises, the human control on which everything else rests is the element most likely to quietly decay. Challenge-rate metrics, rotation and capability preservation are not optional extras; they are what keep review-based controls real
  • Prepare for continuous supervision. Structure data, logs and outcome records so they can support machine-readable supervisory flows, ahead of any move by the regulator towards agentic supervision 
  • Set the autonomy ceiling deliberately. The review points towards observer-mode agentic finance for consumers. Sound firm-level governance need not ban this, but should permit fully autonomous operation of higher-risk activities only under a defined accountability package. Specifically, there should be a named senior owner (who remains accountable under SMCR), a bounded and revocable mandate, retained approval gates on irreversible or high-consequence actions, full traceability, and a tested kill switch and fallback plan, as well as formal acceptance of the residual risk. Where that ceiling sits should be a conscious risk decision, revisited as the identity, mandate and liability infrastructure that the review calls for matures

Setting the direction

The review and our firm-level framework are two halves of the same argument. The review says the system must adapt as AI moves along the autonomy spectrum. A governance framework is how an individual firm adapts.

In our view,  organisations that treat AI governance as an operating capability, and that put it in place before the most autonomous use cases arrive, will be the ones able to adopt AI quickly, evidence their outcomes, and compete as the market moves. The review sets the direction. Disciplined governance is how firms travel it safely.

Control that powers innovation

Find out more about our consulting services for taking charge of AI.