Fortay Connect works with UK financial services firms to design and deploy AI contact centre solutions that are built for FCA compliance from day one - not retrofitted to it. If you are planning an AI deployment or reviewing your current setup, get in touch to discuss your requirements.
Key Takeaways
- The FCA applies Consumer Duty, SM&CR, and Principles 6 and 7 to AI contact centre interactions. There is no bespoke AI regulation.
- A named Senior Manager must own AI risk. Personal liability under SM&CR extends to AI outputs.
- Every AI interaction must be logged, retrievable, and mappable to a good customer outcome.
- Vulnerable customer detection and escalation protocols must be built into the AI layer, not added afterwards.
- AI models drift. Scheduled bias and accuracy audits are a compliance requirement, not a best practice.
- Governance design comes before technology selection. Always.
Every financial services firm in the UK knows AI is coming to the contact centre. Most are already piloting it. But there is a question that keeps surfacing in boardrooms and compliance meetings that almost nobody is answering clearly: what does a contact centre that uses AI and stays on the right side of the FCA actually look like in practice?
This is not an abstract question. The FCA's Consumer Duty, which came into full force in July 2023, requires firms to demonstrate with evidence that their customer service delivers good outcomes. The Senior Managers and Certification Regime (SM&CR) means individual executives carry personal liability for AI failures. And the FCA has confirmed it will not create bespoke AI regulations; instead, it is applying existing frameworks harder.
The result is a compliance environment that is demanding, ambiguous, and increasingly scrutinised. Getting it right is not just a technology problem. It is a governance, process, and accountability problem.
The core principle: the FCA does not care whether a human or an AI handled the interaction. It cares whether the outcome for the customer was good and whether the firm can prove it.
An FCA-compliant AI contact centre is entirely achievable. But it looks quite different from a standard AI deployment, and understanding those differences is the starting point for getting it right.
The Regulatory Frameworks That Apply
The FCA does not publish a checklist for AI contact centres. What it does publish and enforce are outcome-based frameworks that apply regardless of which technology a firm uses. Three are most directly relevant.
Consumer Duty
Consumer Duty requires firms to act to deliver good outcomes for retail customers across four areas: products and services, price and value, consumer understanding, and consumer support. For AI in the contact centre, the consumer support outcome is the most immediately relevant. Firms must be able to show that their AI-assisted or AI-led interactions actually help customers, not just that the technology is deployed.
SM&CR Personal Accountability
Under SM&CR, a named Senior Manager must be accountable for each material risk area, including technology risk. When AI is deployed in a customer-facing context, that accountability extends to the AI's decisions and outputs. If an AI system gives incorrect information, handles a vulnerable customer inappropriately, or produces a biased outcome, a Senior Manager is personally in the frame.
FCA Principles for Businesses
Principle 6 (treating customers fairly) and Principle 7 (communications must be clear, fair, and not misleading) apply directly to AI-generated customer interactions. An AI that produces confusing, incomplete, or misleading responses is a regulatory liability, not just a customer experience problem.
What an FCA-Compliant AI Contact Centre Actually Looks Like
Compliance is not a feature you switch on. It is built into the architecture, governance, and processes surrounding the AI. Here is what that looks like in practice across the five areas that matter most.
1. A Named Accountability Owner
Every AI system deployed in a customer-facing context needs a named Senior Manager who owns the risk. This is not just a box-ticking exercise. It means that person has visibility of how the AI is performing, receives escalations when it fails, and can demonstrate to the FCA that oversight is active and documented.
2. Full Interaction Logging and Audit Trails
An FCA-compliant AI contact centre records and retains every AI-assisted or AI-led customer interaction in a retrievable format. This is not optional. It is the evidence base for demonstrating good outcomes under Consumer Duty. Firms must be able to pull any interaction, review what the AI said or did, and show how it maps to the required outcome.
Key requirements for compliant interaction logging:
- All AI-generated responses stored with timestamps
- Escalation points (where AI handed off to a human) clearly flagged
- Sentiment and outcome data captured at interaction close
- Retention periods aligned to FCA record-keeping requirements (typically 5-7 years for regulated activities)
3. Vulnerable Customer Detection and Escalation
The FCA's guidance on vulnerable customers is explicit: firms must identify vulnerability and respond appropriately. An AI that cannot detect signs of vulnerability, such as distress, confusion, bereavement, or financial difficulty, and escalate to a human agent is not FCA-compliant, regardless of how well it handles standard interactions.
Compliant AI contact centres build vulnerability detection into the AI layer itself, with defined escalation triggers and human handoff protocols that are tested and documented.
4. Explainable Decisions and No Black Boxes
If the FCA asks why a customer received a particular response, or why an AI routed a complaint in a specific way, the firm must be able to answer. AI systems that operate as black boxes, producing outputs without traceable reasoning, are incompatible with the FCA's expectations around accountability and explainability.
This does not mean every AI decision needs a written rationale. It means the system architecture must allow compliance teams to reconstruct decision logic when required.
5. Regular Bias and Accuracy Auditing
AI models drift. Training data becomes outdated. A model that performed well at deployment may produce different outputs six months later. FCA-compliant contact centres run scheduled audits of AI accuracy and bias, checking whether the AI is treating different customer segments consistently and whether its outputs remain aligned with regulatory requirements.
|
Compliance Element |
What It Requires |
Why It Matters |
|---|---|---|
|
Named accountability |
Senior Manager owns AI risk |
SM&CR personal liability |
|
Interaction logging |
Full audit trail, retrievable |
Consumer Duty evidence |
|
Vulnerability detection |
Escalation protocols built in |
FCA vulnerable customer guidance |
|
Explainability |
Decision logic traceable |
Regulatory scrutiny readiness |
|
Bias auditing |
Scheduled model reviews |
Consistent customer outcomes |
The Mistakes That Create Compliance Risk
Most compliance failures in AI contact centres are not the result of bad intentions. They come from deployment decisions made without sufficient regulatory context. The most common patterns we see when advising financial services firms:
- Deploying AI without a governance framework first. The technology goes live before anyone has defined who owns the risk, how interactions are reviewed, or what happens when the AI gets it wrong.
- Treating AI as a cost-reduction tool rather than a customer-facing system. Firms that focus exclusively on handling time and deflection rates tend to underinvest in the compliance infrastructure that makes AI sustainable.
- Assuming the vendor handles compliance. Technology vendors sell platforms. They do not design your governance framework, assign your SM&CR accountability, or ensure your AI meets the FCA's vulnerable customer requirements. That responsibility sits with the firm.
- No plan for model drift. AI that is not monitored will degrade. Firms that deploy and forget are building a compliance liability that grows quietly over time.
The part most firms miss: FCA compliance for AI is not a one-time implementation task. It is an ongoing operational responsibility that requires the same rigour as any other regulated activity.
Where to Start
For financial services firms at the beginning of their AI contact centre journey, the practical starting point is not technology selection. It is governance design.
Before evaluating platforms or vendors, firms should be able to answer three questions:
- Who is the named Senior Manager accountable for AI risk in the contact centre?
- How will we evidence good customer outcomes under Consumer Duty for AI-handled interactions?
- What is our escalation protocol for vulnerable customers identified by the AI?
If those three questions have clear answers, the technology selection conversation becomes significantly more straightforward. If they do not, deploying AI creates regulatory exposure regardless of which platform is chosen.
The firms getting this right are not necessarily the ones with the most sophisticated AI. They are the ones that treated compliance architecture as a prerequisite, not an afterthought.
Fortay Connect works with UK financial services firms to design and deploy AI contact centre solutions that are built for FCA compliance from day one, not retrofitted to it. If you are planning an AI deployment or reviewing your current setup, get your free technology audit now.
FAQs
1. Does Consumer Duty apply to AI-handled customer interactions?
Yes. Consumer Duty applies to all customer interactions regardless of whether they are handled by a human or an AI. Firms must be able to demonstrate that AI-led contact centre interactions deliver good outcomes, particularly under the consumer support outcome.
2. Who is accountable for AI failures in a financial services contact centre?
Under SM&CR, a named Senior Manager must own accountability for each material risk area, including technology risk. If an AI system produces a harmful or incorrect outcome for a customer, that Senior Manager carries personal regulatory liability.
3. What does the FCA require for vulnerable customer handling in AI contact centres?
The FCA's finalised guidance on vulnerable customers requires firms to identify vulnerability and respond appropriately. AI systems must be able to detect signs of vulnerability such as distress or financial difficulty and escalate to a human agent with documented protocols.
4. Do AI contact centre systems need to be explainable to satisfy FCA requirements?
Yes. The FCA expects firms to be able to account for decisions made in customer interactions. AI systems operating as black boxes are incompatible with this. Compliance teams must be able to reconstruct the decision logic behind any AI-generated response when required.
5. What is model drift and why does it matter for FCA compliance?
Model drift occurs when an AI system's outputs change over time as training data becomes outdated. For FCA compliance, this matters because a model that was compliant at deployment may produce biased or inaccurate outputs months later. Regular audits are required to detect and correct drift.