The UK's financial regulator draws a sharp distinction in principle: the FCA regulates activities, not entities. A firm needs permission to carry out a regulated activity, and it doesn't matter, in theory, whether that firm is "a bank, an insurer, a technology firm or even a dentist," as the Mills Review puts it. The FCA-commissioned review, published this month and led by executive director Sheldon Mills, warns that this activity-based model may come under real strain as AI adoption accelerates and the boundaries between financial firms and technology companies continue to blur.
The review recommends the FCA examine, within three to six months, how consumers are already using general-purpose AI tools including ChatGPT, Claude and Gemini for financial decisions, and whether current perimeter guidance adequately captures that activity. Securing and adapting the regulatory perimeter is one of seven priority recommendations made directly to the FCA Board, alongside building what the review calls an "Agentic Supervisory Model" to help the regulator monitor system-wide AI risks rather than relying solely on firm-by-firm supervision.
The review's call comes against the backdrop of rapid AI adoption. More than 20 frontier AI models were released while the review was being written, and research commissioned for it found that roughly a quarter of consumers already trust general-purpose chatbots for financial advice, largely unaware that the formal complaint and redress routes protecting regulated advice simply don't apply to those tools.
The Digital Comparison Association (DCA), which represents the UK's digital comparison industry and submitted evidence to the review earlier this year, welcomed the recommendation.
"We particularly welcome the Review's focus on adapting the regulatory perimeter to prepare for the growth of AI-enabled financial activities," a DCA spokesperson said. "As consumers increasingly receive information, recommendations and support from AI services, it is essential that the same protections, standards and mechanisms to drive good customer outcomes and allow for appropriate redress apply regardless of where a provider or technology is based."
The DCA said the future of AI in financial services should be built on strong consumer protection and a level playing field for firms, welcoming the review's recommendations as a basis for future work with the FCA, government and industry.
For insurance specifically, that raises an uncomfortable question: if a consumer asks a general-purpose AI model whether they need life cover, or which motor policy suits them best, and the model gets it wrong, who is actually accountable, and does the FCA even have jurisdiction to find out?
The review is explicit that it isn't calling for the FCA to rush into new rules. FCA chair Ashley Alder has framed the existing principles-based approach, anchored in the Consumer Duty and the Senior Managers regime, as flexible enough to have kept pace with technological change so far. But the longer-term recommendation is more pointed: the FCA should keep the effectiveness of its entire activity-based perimeter under continuous review as AI capability advances, rather than treating today's framework as a fixed settlement.
For insurers, the practical stakes are less about their own regulatory status, which remains clear, and more about the intermediaries and technology partners increasingly sitting between them and the customer. If a general-purpose AI tool is effectively steering discovery, comparison and switching decisions for insurance products without falling inside anyone's regulatory perimeter, that's a supervisory gap insurers themselves may end up having to manage commercially, well before the FCA finishes deciding how to close it.