Skip to main content
Success
[PRO SERVICES / BY INDUSTRY]

AI for
Compliance Teams

Compliance teams spend valuable time collecting evidence, comparing policy and preparing routine analysis. We automate the defined research and document work while keeping interpretation, escalation and approval with the accountable person.

AI for Compliance Teams
Citations, audit trail, human-in-the-loop

£176m

FCA FINES IN 2024, TRIPLED YoY

872k

SARs FILED TO THE NCA 2023–24

75%

OF UK FS FIRMS ALREADY USE AI

Sources: FCA 2024 fines page; NCA SAR Annual Report 2023–24; Bank of England / FCA, Artificial Intelligence in UK Financial Services 2024.

[THE OPERATING PROBLEM]

Compliance teams spend too much time moving information

Reading the FCA, PRA and ICO output. Mapping a new rule to the policies it touches. Drafting control narratives. Disposing the first line of an AML alert. Reviewing a financial promotion against COBS and the Consumer Duty. It all chews up the same kind of hour.

Expensive too, because the people doing it are expensive, and the volume isn't dropping. Starling paid £29m for AML failings in 2024. Metro paid £16.6m the same year for missing 60 million transactions worth £51bn. Capita paid the ICO £14m in 2025.

An LLM doesn't get to be the SMF holder. It does the reading so the SMF holder can do the judging.

WITHOUT THE AI

  • Analyst reads every PS, CP and Dear CEO letter
  • Control narratives copied between audits
  • L1 AML alerts queued, 95% false positive
  • KYC packs typed from PDFs by hand
  • Promotions reviewed against a printed checklist

WITH IT

  • Daily brief: what changed, who it touches, what to do
  • Narratives drafted from the evidence, you sign off
  • Alerts pre-summarised with the reasoning attached
  • KYC data extracted, flagged, ready for review
  • Promotions pre-checked, citations next to each finding
[WHERE IT FITS]

Compliance work worth automating

We focus on defined review steps where retrieval, a human decision and a retained audit record can reduce handling time without changing accountability.

01

Horizon scanning

Watch the FCA, PRA, ICO, NCA, JMLSG, HMT and OFSI feeds. Every morning, your team gets a brief: what's new, who it affects, which policy or control it touches, what to read in full.

02

Policy & control mapping

Drop in a new policy statement. The system finds the policies, procedures and controls it changes, drafts the updates, and flags the gaps your second line needs to decide on.

03

AML & sanctions triage

Alerts arrive with a draft disposition: customer history, transaction context, sanctions match strength, the policy clause that triggered it. Your analyst confirms or escalates instead of starting from scratch.

04

KYC & DPIA drafting

Onboarding packs read and structured. Adverse media checked. DPIAs and vendor questionnaires drafted from your templates. Reviewer sees a half-finished pack, not a blank form.

05

Promotions & audit prep

Financial promotions pre-checked against COBS, CONC and the Consumer Duty. Audit packs assembled from the evidence already in your systems. Findings come with citations, not vibes.

[GENERAL CHATBOTS]

Controls for regulated AI work

Compliance is one of the few functions where the regulator can ask you to prove how the answer was produced. ChatGPT in a browser tab can't show its working, can't be governed, and can't sit inside SS1/23.

What we build sits the other way round. Retrieval over your own documents. Citations under every output. A logged trail of prompt, source, output and reviewer. Hosted on infrastructure you can point a regulator at.

Hallucinated citations

Generic LLMs invent FCA Handbook references that look real. Ours only cites text it retrieved, and links the reviewer to the source paragraph.

No audit trail

SYSC and SS1/23 expect reproducible reasoning. A chat window doesn't save the prompt, retrieval set, model version and reviewer sign-off. Ours does, automatically.

Article 22 risk

UK GDPR Article 22 restricts solely-automated decisions with legal or similarly material effect on the individual. We design human-in-the-loop into the workflow, not as an afterthought.

Data residency

Pasting client KYC into a public chatbot is a SYSC and UK GDPR problem. Your data stays in your tenancy, training opt-outs on, logs you own.

Prompt injection in documents

Onboarding docs and contracts can carry instructions that hijack a naive pipeline. We treat document content as untrusted input, not as a system prompt.

[HOW WE WORK]

How we start

A short scoping, then the first workflow live. The audit, governance and SS1/23 model documentation written as we go, not bolted on at the end.

You keep your existing GRC platform. We sit alongside it, doing the reading and the drafting that nobody bought it to do.

BOOK A SCOPING CALL
01

Scoping

We sit with your MLRO, DPO and second line. We watch the work that's eating the team. We come back with two or three candidate workflows, scoped and priced, and a written view on the SS1/23 model risk tier each one lands in.

02

Connect your sources

FCA, PRA, ICO and HMT feeds. Your policies, procedures and control library. Your AML platform, KYC system, ticketing and shared drives. Indexed into a private vector store inside your tenancy, with permissions that match the source systems.

03

Launch the first workflow

Live for the team. Citations in every output. Reviewer attestation captured. Prompt, retrieval set, model version and decision logged for every run. We sit with the analysts using it and tune it weekly.

04

Hand over the governance pack

Model card, SS1/23-aligned documentation, DPIA, prompt injection and bias test results, monitoring dashboards, the SMF holder named on the model inventory. Everything you need when the regulator or the internal auditor asks how it works.

[GOVERNANCE]

Frameworks that apply to compliance AI

Nothing exotic. The same standards your second line already wants to see, applied to the AI from day one rather than papered over at the end.

PRA SS1/23

Model Risk Management

In force since 17 May 2024. Five principles: identification, governance, development, validation, mitigation. Our deliverable includes the model inventory entry, the validation evidence and the SMF accountability mapping.

FCA AI UPDATE

SYSC, SM&CR, Consumer Duty

The FCA's April 2024 update was clear: no new AI rules, the existing framework applies. SYSC for systems and controls, SM&CR for accountability, PRIN 2A Consumer Duty for outcomes. We design against all three.

UK GDPR

ICO guidance & Article 22

DPIAs written. Lawful basis recorded. Article 22 respected by keeping a human in the loop on anything with legal or similarly material effect. ICO transparency expectations on accuracy and individual rights designed in.

ISO/IEC 42001

AI management system

The first certifiable AI standard, published Dec 2023. We build to the control objectives so if you decide to certify later, the evidence is already there.

DORA & SS2/21

Third-party & ICT risk

DORA applied from 17 January 2025 for EU-facing firms. PRA SS2/21 for outsourcing. Where a model provider is in scope, we paper it correctly, including Article 30 clauses where they apply.

EU AI ACT

Annex III high-risk

Creditworthiness and life and health insurance pricing are on the Annex III high-risk list. The Commission's current timeline puts these rules on 2 December 2027. We still design the logging, human review and records from the start where a workflow is likely to fall within that category.

[REALITY CHECK]

Recent FCA enforcement examples

Four enforcement actions from the last eighteen months. Each one started with a control that someone, somewhere, was supposed to be running.

OCT 2024

Starling Bank, £29m

Repeated AML and sanctions failings. 54,000 accounts opened for 49,000 high-risk customers between Sept 2021 and Nov 2023. Sanctions screening had covered only a fraction of the full list since 2017. (FCA)

NOV 2024

Metro Bank, £16.6m

Transaction monitoring failures. Around 60 million transactions worth £51bn were not properly monitored because of data input errors in the AML system. Nobody was reading what came out. (FCA)

OCT 2025

Capita, £14m

The ICO's largest-ever data protection settlement. £8m as controller, £6m as processor, following the 2023 cyber incident affecting clients including pension schemes. (ICO)

2024 TOTAL

FCA fines, £176m

More than triple 2023. 37 Final Notices. Two insider dealing convictions. £514m in additional consumer redress on top. Themes: financial crime, vulnerable customers, pensions mis-selling. (FCA)

Sources: FCA press releases (Oct 2024, Nov 2024); ICO enforcement notice (Oct 2025); FCA 2024 fines page; Financial Planning Today coverage.

[RELEVANT VU WORK]

Crystal and ClimateEQ keep people in control

Crystal runs agreed compliance checks and keeps evidence with each deal. ClimateEQ scores carbon-literacy pledges and drafts feedback, while reviewers retain the final decision.

[A USEFUL FIRST CONVERSATION]

When this is worth discussing

We work best when there is a real operating problem, enough volume to measure and people from the affected teams who can make decisions.

Usually a good fit

  • An established UK business, usually with annual revenue above £10m
  • A repeated process with a known cost, delay, error rate or capacity problem
  • A senior sponsor and a day-to-day owner who understand the work
  • Access to the relevant staff, systems, sample records and security requirements

We may point you elsewhere

  • A standard product already covers the process well
  • The requirement is a one-off small build with no wider operating case
  • There is no owner or access to the people and data needed to test the result
  • The plan relies on AI making high-impact decisions with nobody responsible for review
[QUESTIONS]

Questions the buying team will ask

Q.01

Will the regulator have a problem with this?

Not if you build it the way they've already asked. The FCA's April 2024 AI Update said the existing framework applies, not a new one. We design to SYSC, SM&CR and Consumer Duty from day one, and document the model under SS1/23. The regulator's complaint is usually with firms that can't show how an output was produced. Ours can.

Q.02

What about hallucinations?

The reason generic chatbots invent FCA Handbook references is that they're guessing from training data. Our workflows retrieve from your indexed sources first, then only let the model speak about what it found. Every output cites the paragraph. If it can't cite, it says so. A reviewer still signs off.

Q.03

Where does our data go?

Your tenancy, in the region you specify. Training opt-outs on. Logs you own. Where we use a frontier model, it's via an enterprise API with zero-retention and a signed DPA. We tell you which provider before you commit, and we paper the third-party risk under SS2/21 or DORA where it applies.

Q.04

Does this replace the team?

The workflow can reduce defined reading, copying and data-entry steps. Judgement, escalation, regulator engagement and SMF sign-off remain with people. The value case should measure queue time, review capacity and error rates without assuming a staffing outcome.

Q.05

We already have a GRC platform. Do we rip it out?

Almost never. Your GRC is the system of record for policies, controls and risks. We sit alongside, doing the reading and drafting it was never built for, and we write back into it via API. You keep the audit trail in one place.

Q.06

How long until we see it working?

We define one controlled workflow, its sources, accountable owner and review evidence. It runs alongside the existing process until the compliance team has enough results to approve wider use.

Q.07

What about the EU AI Act?

If a workflow touches Annex III categories such as creditworthiness or life and health insurance pricing, we assess it as a likely high-risk system from the start. The Commission's current timeline puts those rules on 2 December 2027. Documentation, logging and human review are useful controls now, rather than work to begin near the application date.

Q.08

How much does it cost?

Scoping is fixed-fee. The first workflow is priced before we start, scoped against the source systems we connect. Ongoing running costs are mostly the model API, which we tell you up front and meter so you can see it. No per-seat licence creep.

Vu Agency working session

Talk to us about your compliance workflow

Tell us which compliance workflow has the most volume, the source material and the accountable owner. We will identify the first controlled use case and the evidence its oversight process needs.

Instant AI Chat Message us on WhatsApp