The FCA’s landmark Mills Review, published on 6 July, is the most ambitious attempt by any financial regulator to map how artificial intelligence will reshape retail financial services by 2030. It identifies four systemic shifts, proposes seven recommendations and introduces a five-level autonomy spectrum. What it does not do — and this matters — is answer the question that asset managers building AI-driven portfolios need answered most: how, precisely, should a model prove why it made the decisions it did?
That gap is not a failure of ambition. The Financial Conduct Authority (FCA) set out to scan the horizon, not to write compliance manuals. But for firms already deploying AI in investment screening, the omission leaves a practical vacuum that will need filling before the next wave of regulation arrives.
What the Mills Review Actually Says
Led by executive director Sheldon Mills, the review drew on input from across the financial services landscape and commissioned a survey of more than 5,000 UK consumers. Its headline finding is striking: one in five UK adults — roughly 11 million people — said they would be likely to use AI that acts autonomously within pre-set financial goals. That is not a fringe appetite. It is a market signal.
The review frames AI’s trajectory through a five-level autonomy spectrum. At level one, AI supports on demand — summarising product terms, for instance. By level five, AI executes decisions whilst humans merely monitor a log. Most firms sit somewhere around levels two and three today: AI and human collaborating, with the human still steering. The review expects that boundary to shift materially by 2030.
Four systemic shifts underpin this forecast. First, firm operations will be transformed — AI moving from a bolt-on tool to a core operational capability. Second, consumer journeys will become agent-led, with AI intermediating product selection, switching and ongoing portfolio management. Third, competition will be reshaped as control of AI-mediated interfaces becomes a source of market power. Fourth, financial crime and cyber risks will be amplified, with AI enabling faster, cheaper and more persuasive fraud.
The seven recommendations that follow are sensible: secure the regulatory perimeter, strengthen cross-regulator coordination, scale up the FCA’s AI Lab, and lay foundations for what the review calls “agentic finance.” Ashley Alder, the FCA’s chair, described the existing principles-based framework — including the Consumer Duty and Senior Managers and Certification Regime (SM&CR, which assigns personal accountability to named senior managers for regulated activities) — as robust enough to flex, provided it is applied thoughtfully.
The Explainability Problem
This is where the practical tension surfaces. The review acknowledges that “capable models still require controls for reliability, consistency, explainability and accountability.” It notes that as firms move up the autonomy spectrum, identifying who is responsible for a decision becomes harder. It flags the SM&CR as a potential pressure point when AI systems operate with greater autonomy and opacity.
But it stops short of defining what adequate explainability looks like in portfolio construction. This is not an abstract concern. The Cambridge Centre for Alternative Finance (CCAF) reported in its 2026 Global AI in Financial Services study that 81 per cent of financial institutions are now adopting AI at some level — yet only 14 per cent regard it as transformational to their strategy. That gap between adoption and strategic confidence hints at a deeper unease: firms are deploying AI faster than they can explain it.
The distinction that matters here is architectural. Generative AI — the large language models (LLMs) behind chatbots and text generation — operates probabilistically. It produces outputs that are plausible but not necessarily repeatable. Ask the same model the same question twice and you may get different answers. For customer service or document summarisation, that variability is manageable. For investment screening, where a regulator or client may later ask why a particular company was included or excluded from a portfolio, it is a problem.
Deterministic AI, by contrast, applies fixed rules to structured data and produces the same output from the same input every time. A Bayesian scoring pipeline — the kind used in some impact-screening frameworks — assigns weighted scores against defined criteria, with each rating traceable to cited evidence. The logic is auditable. The trail is complete.
The International Organisation of Securities Commissions (IOSCO) began addressing this in May 2026 with its Supervisory Toolkit for AI Use in Capital Markets. The Financial Stability Board (FSB) published its own 12 sound practices for responsible AI adoption the same month. Both emphasise governance, auditability and human oversight. Neither prescribes a specific technical architecture — but the direction of travel is clear: regulators want to see the working.
What This Means for Portfolio Builders
The EU is further ahead on timelines. The EU AI Act‘s high-risk obligations take effect on 2 August 2026 — less than three weeks away. AI systems used in creditworthiness assessment are explicitly classified as high-risk, and whilst portfolio construction is not yet named in the same category, the regulatory direction suggests it will not remain exempt indefinitely. Firms operating across the UK-EU corridor are already adapting their model risk management frameworks to meet both sets of expectations.
In the UK, the Consumer Duty — which requires firms to deliver good outcomes, fair value and effective communications — applies regardless of whether a human or an algorithm made the decision. The Mills Review is explicit on this point: AI-driven pricing and product design may make it harder to demonstrate that outcomes remain fair across different groups of consumers. Senior managers cannot delegate accountability to a model.
For firms building AI into portfolio construction, the practical takeaway is threefold. First, architecture matters. A model that cannot reproduce its reasoning on demand is a regulatory liability, regardless of how sophisticated its outputs appear. Second, the audit trail is not optional. Whether a screening decision was made by a generative model, a deterministic pipeline or a human analyst, the chain of evidence must be complete and retrievable. Third, the window for voluntary best practice is closing. The FSB framework, the IOSCO toolkit and the Mills Review’s recommendation to monitor autonomous models and adapt regulatory frameworks all point towards harder requirements within 12 to 18 months.
The Mills Review describes AI governance and model risk management as a “critical capability” by 2030. For firms already using AI to screen investments, construct portfolios or score impact criteria, 2030 is not the deadline — it is the backstop. The firms that will navigate the coming regulatory wave most comfortably are those building the evidence trail now, not those scrambling to retrofit one later.
The FCA has committed to publishing good and poor practice guidance on AI later this year. When it does, firms whose models can already show their working will be the ones with the least to worry about.









