AI for
Compliance Teams
Horizon scanning, control testing, policy mapping, AML triage, audit prep. Most of the day is reading, comparing and writing. We build private AI to do the legwork so the judgement stays with your SMF holder.
£176m
FCA FINES IN 2024, TRIPLED YoY
872k
SARs FILED TO THE NCA 2023–24
75%
OF UK FS FIRMS ALREADY USE AI
Sources: FCA 2024 fines page; NCA SAR Annual Report 2023–24; Bank of England / FCA, Artificial Intelligence in UK Financial Services 2024.
Compliance work is mostly reading and writing.
Reading the FCA, PRA and ICO output. Mapping a new rule to the policies it touches. Drafting control narratives. Disposing the first line of an AML alert. Reviewing a financial promotion against COBS and the Consumer Duty. It all chews up the same kind of hour.
Expensive too, because the people doing it are expensive, and the volume isn't dropping. Starling paid £29m for AML failings in 2024. Metro paid £16.6m the same year for missing 60 million transactions worth £51bn. Capita paid the ICO £14m in 2025.
An LLM doesn't get to be the SMF holder. It does the reading so the SMF holder can do the judging.
WITHOUT THE AI
- Analyst reads every PS, CP and Dear CEO letter
- Control narratives copied between audits
- L1 AML alerts queued, 95% false positive
- KYC packs typed from PDFs by hand
- Promotions reviewed against a printed checklist
WITH IT
- Daily brief: what changed, who it touches, what to do
- Narratives drafted from the evidence, you sign off
- Alerts pre-summarised with the reasoning attached
- KYC data extracted, flagged, ready for review
- Promotions pre-checked, citations next to each finding
Five jobs we've seen AI actually do.
Not "AI for everything". The specific bits where a careful LLM with retrieval, a human gate and a logged audit trail saves your team hours a week.
Horizon scanning
Watch the FCA, PRA, ICO, NCA, JMLSG, HMT and OFSI feeds. Every morning, your team gets a brief: what's new, who it affects, which policy or control it touches, what to read in full.
Policy & control mapping
Drop in a new policy statement. The system finds the policies, procedures and controls it changes, drafts the updates, and flags the gaps your second line needs to decide on.
AML & sanctions triage
Alerts arrive with a draft disposition: customer history, transaction context, sanctions match strength, the policy clause that triggered it. Your analyst confirms or escalates instead of starting from scratch.
KYC & DPIA drafting
Onboarding packs read and structured. Adverse media checked. DPIAs and vendor questionnaires drafted from your templates. Reviewer sees a half-finished pack, not a blank form.
Promotions & audit prep
Financial promotions pre-checked against COBS, CONC and the Consumer Duty. Audit packs assembled from the evidence already in your systems. Findings come with citations, not vibes.
A consumer chatbot doesn't pass a Section 166.
Compliance is one of the few functions where the regulator can ask you to prove how the answer was produced. ChatGPT in a browser tab can't show its working, can't be governed, and can't sit inside SS1/23.
What we build sits the other way round. Retrieval over your own documents. Citations under every output. A logged trail of prompt, source, output and reviewer. Hosted on infrastructure you can point a regulator at.
Hallucinated citations
Generic LLMs invent FCA Handbook references that look real. Ours only cites text it retrieved, and links the reviewer to the source paragraph.
No audit trail
SYSC and SS1/23 expect reproducible reasoning. A chat window doesn't save the prompt, retrieval set, model version and reviewer sign-off. Ours does, automatically.
Article 22 risk
UK GDPR Article 22 restricts solely-automated decisions with legal or similarly material effect on the individual. We design human-in-the-loop into the workflow, not as an afterthought.
Data residency
Pasting client KYC into a public chatbot is a SYSC and UK GDPR problem. Your data stays in your tenancy, training opt-outs on, logs you own.
Prompt injection in documents
Onboarding docs and contracts can carry instructions that hijack a naive pipeline. We treat document content as untrusted input, not as a system prompt.
Where we come in.
A short scoping, then the first workflow live. The audit, governance and SS1/23 model documentation written as we go, not bolted on at the end.
You keep your existing GRC platform. We sit alongside it, doing the reading and the drafting that nobody bought it to do.
BOOK A SCOPING CALLScoping
We sit with your MLRO, DPO and second line. We watch the work that's eating the team. We come back with two or three candidate workflows, scoped and priced, and a written view on the SS1/23 model risk tier each one lands in.
Connect your sources
FCA, PRA, ICO and HMT feeds. Your policies, procedures and control library. Your AML platform, KYC system, ticketing and shared drives. Indexed into a private vector store inside your tenancy, with permissions that match the source systems.
Launch the first workflow
Live for the team. Citations in every output. Reviewer attestation captured. Prompt, retrieval set, model version and decision logged for every run. We sit with the analysts using it and tune it weekly.
Hand over the governance pack
Model card, SS1/23-aligned documentation, DPIA, prompt injection and bias test results, monitoring dashboards, the SMF holder named on the model inventory. Everything you need when the regulator or the internal auditor asks how it works.
The frameworks we build to.
Nothing exotic. The same standards your second line already wants to see, applied to the AI from day one rather than papered over at the end.
Model Risk Management
In force since 17 May 2024. Five principles: identification, governance, development, validation, mitigation. Our deliverable includes the model inventory entry, the validation evidence and the SMF accountability mapping.
SYSC, SM&CR, Consumer Duty
The FCA's April 2024 update was clear: no new AI rules, the existing framework applies. SYSC for systems and controls, SM&CR for accountability, PRIN 2A Consumer Duty for outcomes. We design against all three.
ICO guidance & Article 22
DPIAs written. Lawful basis recorded. Article 22 respected by keeping a human in the loop on anything with legal or similarly material effect. ICO transparency expectations on accuracy and individual rights designed in.
AI management system
The first certifiable AI standard, published Dec 2023. We build to the control objectives so if you decide to certify later, the evidence is already there.
Third-party & ICT risk
DORA applied from 17 January 2025 for EU-facing firms. PRA SS2/21 for outsourcing. Where a model provider is in scope, we paper it correctly, including Article 30 clauses where they apply.
Annex III high-risk
Deployer obligations bite from 2 August 2026. Creditworthiness and life and health insurance pricing are on the high-risk list. If your workflow touches either, we treat it as in-scope from the start.
The cost of getting it wrong, in 2024 and 2025.
Four enforcement actions from the last eighteen months. Each one started with a control that someone, somewhere, was supposed to be running.
Starling Bank, £29m
Repeated AML and sanctions failings. 54,000 accounts opened for 49,000 high-risk customers between Sept 2021 and Nov 2023. Sanctions screening had covered only a fraction of the full list since 2017. (FCA)
Metro Bank, £16.6m
Transaction monitoring failures. Around 60 million transactions worth £51bn were not properly monitored because of data input errors in the AML system. Nobody was reading what came out. (FCA)
Capita, £14m
The ICO's largest-ever data protection settlement. £8m as controller, £6m as processor, following the 2023 cyber incident affecting clients including pension schemes. (ICO)
FCA fines, £176m
More than triple 2023. 37 Final Notices. Two insider dealing convictions. £514m in additional consumer redress on top. Themes: financial crime, vulnerable customers, pensions mis-selling. (FCA)
Sources: FCA press releases (Oct 2024, Nov 2024); ICO enforcement notice (Oct 2025); FCA 2024 fines page; Financial Planning Today coverage.
The ones we get asked first.
Will the regulator have a problem with this?
Not if you build it the way they've already asked. The FCA's April 2024 AI Update said the existing framework applies, not a new one. We design to SYSC, SM&CR and Consumer Duty from day one, and document the model under SS1/23. The regulator's complaint is usually with firms that can't show how an output was produced. Ours can.
What about hallucinations?
The reason generic chatbots invent FCA Handbook references is that they're guessing from training data. Our workflows retrieve from your indexed sources first, then only let the model speak about what it found. Every output cites the paragraph. If it can't cite, it says so. A reviewer still signs off.
Where does our data go?
Your tenancy, in the region you specify. Training opt-outs on. Logs you own. Where we use a frontier model, it's via an enterprise API with zero-retention and a signed DPA. We tell you which provider before you commit, and we paper the third-party risk under SS2/21 or DORA where it applies.
Does this replace the team?
No. It replaces the part of their day that's reading, copy-pasting and re-typing. The judgement, the escalation, the regulator engagement, the SMF sign-off, those still need humans. We've seen teams move from drowning in alerts to clearing the queue and finally doing the second-line work that got dropped.
We already have a GRC platform. Do we rip it out?
Almost never. Your GRC is the system of record for policies, controls and risks. We sit alongside, doing the reading and drafting it was never built for, and we write back into it via API. You keep the audit trail in one place.
How long until we see it working?
A short scoping, then the first workflow live for the team in days. Not a year-long programme. Small pieces, built, used, then the next one.
What about the EU AI Act?
If a workflow touches Annex III categories like creditworthiness or life and health insurance pricing, we treat it as high-risk from the start. Deployer obligations bite from 2 August 2026, so the documentation, logging and human oversight need to be ready before then, not on the day. We build that in.
How much does it cost?
Scoping is fixed-fee. The first workflow is priced before we start, scoped against the source systems we connect. Ongoing running costs are mostly the model API, which we tell you up front and meter so you can see it. No per-seat licence creep.
Compliance that scales without the headcount.
Tell us where your team is drowning: horizon scanning, AML triage, policy mapping, audit prep. In thirty minutes you'll have a clear answer on which workflow we'd build first, and what the SS1/23 paperwork around it looks like.