Are AI Voice Agents FCA Compliant? | Fortay Connect

Are AI Voice Agents FCA Compliant?

This article is for information purposes only and does not constitute legal or regulatory advice. Regulated firms should seek independent legal counsel and engage their compliance function before deploying AI voice technology.

AI voice agents can be deployed compliantly in FCA, SRA and PCI-sensitive environments. The platform alone will not make the deployment compliant, but that does not mean compliance is out of reach. What it means is that compliance must be designed into the governance, controls and use case scope from the outset, not assumed from a vendor's feature list.

Key takeaways before you read on:

• FCA oversight is principles-based. There is no separate AI rulebook. Existing obligations around governance, accountability, consumer outcomes and operational resilience apply.
• Compliance is not a native feature of AI voice platforms. Recording, retention, supervision and audit controls are firm-level responsibilities, typically layered on top of the core platform.
• Scope matters more than technology. A bounded, low-consequence journey carries very different risk than one involving advice, complaints or vulnerable customers.

Does Compliance Come Built In, or Do You Need to Add Something?

This is the question that catches most regulated buyers off guard. AI voice platforms are built to handle conversations at scale. They are not built to meet your firm's specific regulatory obligations out of the box.

The FCA's approach to AI makes clear that existing principles, including governance, accountability, operational resilience and Consumer Duty outcomes, apply to AI-enabled services just as they do to any other channel. The platform vendor does not carry those obligations. Your firm does.

In practice, this means the compliance layer sits above the core platform. Tools such as Theta Lake, Smarsh and Zoom Compliance Manager are used by regulated firms to add recording, retention, supervision and audit capability on top of the voice agent stack. These are not optional extras for regulated deployments; they are the controls that make the deployment auditable and defensible.

The procurement question therefore shifts from "is this platform compliant?" to "what controls, integrations and operating model do we need to build around it?"

No vendor can answer the compliance question on your behalf. The controls design is yours.

What About Call Recording, Retention and Data Residency?

For many regulated firms, the recording obligation is the most familiar part of the compliance picture. Under FCA SYSC 10A, firms undertaking certain regulated activities must record relevant telephone communications and retain them for a minimum of five years, or seven years in some cases. The obligation does not disappear because the call is handled by an AI agent rather than a human adviser.

What changes with AI voice agents is the scope of what needs to be governed. It is not only the audio recording that matters. Transcripts, AI-generated summaries, intent classifications and any derived outputs from the call can all fall within the firm's compliance scope. Retention policy needs to cover the full data trail, not just the audio file.

UK GDPR adds a further layer. Transparency obligations require that callers are informed when they are interacting with an automated system. Storage limitation principles mean data should not be retained beyond its legitimate purpose. And if the platform processes data outside the UK or EEA, sub-processor arrangements and data transfer safeguards need to be in place before go-live.

Controls checklist for recording and retention

The practical implication: before deployment, firms should map every data type the AI agent creates or touches, confirm where it is processed and stored, and verify that deletion and retrieval workflows extend to transcripts and summaries, not just audio.

Can an AI Agent Handle Calls Involving Payments?

Payment-related journeys are higher risk and should not be treated as a default starting point for AI voice deployment in regulated environments. If a caller is providing card details or payment information during an automated interaction, the firm enters PCI DSS scope, and the controls required are significantly more demanding than those needed for routing or appointment booking.

The core concern is straightforward: sensitive card data must not be unnecessarily recorded, stored, transmitted or exposed. In a voice agent context, that means audio recordings and transcripts of payment-capture moments need to be either redacted in real time or, preferably, handled through a design that removes the AI agent from the payment flow entirely.

What this means in practice

• Pause-and-resume recording is the most common approach: recording is suspended during card entry and resumed once the sensitive data has been captured by a separate, PCI-compliant payment system.
• DTMF tone masking (where callers key in card digits rather than speaking them) reduces the risk of card data appearing in transcripts, but the design still needs to be validated against your PCI DSS scope.
• Vendor attestation matters: the AI voice platform vendor should be able to confirm their own PCI DSS compliance status and the scope of their attestation. Do not assume it covers your deployment.

Payment capture via AI voice agent is technically achievable, but it is a specialist workflow requiring careful design, vendor validation and process containment. It is not a feature to enable by default and revisit later.

What Does Compliance Look Like for SRA Regulated Law Firms?

Law firms regulated by the Solicitors Regulation Authority face a compliance picture shaped by professional conduct obligations as much as data protection law. Client confidentiality, proper supervision of legal work and the handling of sensitive matter-related information all bear on how AI voice agents can be deployed.

The good news is that AI voice agents are a practical fit for law firms in the right context. The risk is not the technology itself; it is deploying it in the wrong part of the client journey before the controls are mature.

Control priorities for SRA regulated firms:

• Start with bounded administrative journeys. Appointment booking, call routing, office hours information and basic matter status updates carry low consequence and limited confidentiality risk. These are appropriate starting points.
• Keep legal advice and intake calls human-led. Any call that could result in legal advice being given, or that involves the substantive details of a client matter, should escalate to a qualified fee earner. AI agents should route, not advise.
• Supervise AI-handled interactions. SRA Standards and Regulations require proper supervision of client-facing work. Firms should have a named individual responsible for oversight of AI agent activity, with regular review of transcripts and escalation patterns.
• Audit trail from day one. Every AI-handled call should produce a retrievable record. If a client later disputes what was communicated, the firm needs to be able to demonstrate what the AI said and what action it took.
• Data handling at client level. Transcripts and summaries may contain privileged or confidential information. Storage, access controls and deletion policies should reflect that sensitivity.

The SRA has not issued specific AI guidance equivalent to the FCA's published position, but its existing principles on competence, supervision and client protection apply fully. Firms should not wait for sector-specific AI rules before putting controls in place.

What Happens to My Deployment If the FCA Changes the Rules?

This is the question that comes up most consistently from regulated buyers, and it is a legitimate concern. The FCA has been explicit that its approach to AI regulation will continue to evolve. The EU AI Act is already shaping expectations across the industry. It would be naive to assume the regulatory environment for AI voice agents looks the same in 2027 as it does today.

But waiting is not the answer. The firms that wait for regulatory certainty before deploying AI will be the ones scrambling to catch up when their competitors have already built operational confidence and audit history. The safest path is not delay; it is modular design.

The principle: build your deployment so that a rule change requires updating a control, not rebuilding the service from scratch.

Four practices that make a deployment future-proof:

1. Document scope and decision rights from day one. Which journeys does the AI handle? Who approved that scope? Who reviews it? Named accountability means a rule change triggers a review, not a crisis.
2. Separate the AI capability from the compliance controls. If recording, retention and supervision sit in a dedicated compliance layer rather than baked into the platform, updating those controls does not require touching the core service.
3. Maintain a vendor governance log. Track your platform vendor's compliance certifications, sub-processors, data residency commitments and any changes to their terms. Regulatory scrutiny often starts with vendor due diligence.
4. Build in a scheduled review cadence. Compliance is not a one-time sign-off. Quarterly or bi-annual reviews of AI agent performance, escalation patterns and regulatory developments keep the deployment defensible over time.

Regulation catching up to AI is not a reason to stall. It is a reason to build carefully, document thoroughly and choose an implementation partner who understands both the technology and the regulatory context.

Are We Even in Scope?

Not every regulated firm faces the same compliance exposure, and not every AI voice deployment sits in the same risk category. Scope depends on the journey type, the customer type, the data handled and whether the AI interaction touches advice, support, complaints or financial decisions.

A question that comes up regularly on regulated sales calls is whether a B2B or internal-facing workflow is treated differently in practice. The short answer is yes. A voice agent handling internal IT helpdesk routing or B2B appointment scheduling carries materially different risk than one handling direct-to-consumer financial queries. The regulatory obligations around Consumer Duty, for example, apply to consumer-facing interactions; they do not automatically extend to a B2B overflow triage workflow.

The practical scoping lens is consequence and customer type:

If your primary use case sits in the lower rows of that table, the compliance burden is significantly higher and the controls design needs to reflect that before go-live, not after. If you are starting in the upper rows, you are in a much more manageable position.

Which Regulated Use Cases Are Safe to Start With, and Which to Avoid?

The implementation principle for regulated firms is the same as for any complex deployment: start bounded, build confidence, then expand scope as controls mature.

Fortay's AI virtual agent implementation guide sets out where mid-market teams should start. For regulated firms, the same logic applies with one additional filter: every use case needs a compliance sign-off before go-live, not after. The journeys in the right column above are not permanently off-limits; they require a higher level of controls maturity, documented oversight and, in some cases, independent review before deployment.

If you are unsure which column your first use case sits in, that is exactly the conversation to have before committing to a platform.

Frequently Asked Questions

Are AI voice agents FCA compliant?

AI voice agents can be deployed compliantly under FCA regulation. The FCA does not operate a separate AI rulebook; existing principles around governance, accountability, Consumer Duty and operational resilience apply. Compliance depends on the use case, the controls designed around the deployment and the firm's ability to evidence outcomes, not on the platform itself.

Can an AI agent handle calls involving payments?

Yes, but it requires specialist design. Payment-capture journeys bring PCI DSS obligations into scope. Audio recordings and transcripts must not expose sensitive card data unnecessarily. Pause-and-resume recording and DTMF tone masking are common approaches, but the design must be validated against the firm's specific PCI DSS scope and the platform vendor's attestation confirmed before go-live.

What does compliance look like for SRA regulated law firms?

SRA regulated firms should start AI voice agent deployments with bounded administrative journeys: appointment booking, call routing and general office queries. Any call that could involve legal advice, substantive client matter details or complaints must escalate to a qualified fee earner. Named supervision, audit trails and client-level data handling are the minimum controls for a defensible deployment.

What happens to my deployment if the FCA changes the rules?

Modular design is the answer. Build so that compliance controls sit in a separate layer from the core AI capability, document scope and decision rights from day one, maintain a vendor governance log and schedule regular reviews. A rule change should require updating a control, not rebuilding the service. The firms best placed to adapt are those that have already built the governance infrastructure.

Ready to Deploy Compliantly?

Compliant AI voice agent deployment in a regulated firm is achievable. It requires the right use case, the right controls design and an implementation partner who understands both the technology and the regulatory context.

Fortay works with compliance, operations and IT leads in financial services, legal, insurance and building societies to scope, design and deploy AI voice agents that are built for regulated environments from day one. If you are ready to assess your readiness or want to understand which journeys are the right starting point for your firm, book a consultation with the Fortay team.

For readers who need to understand the basics of how AI voice agents work before addressing the compliance question, the AI receptionist guide covers the fundamentals. When you are ready to evaluate platforms, the best AI virtual agent platforms for UK businesses shortlist is a practical next step.