AI for
Compliance Teams
Compliance teams spend valuable time collecting evidence, comparing policy and preparing routine analysis. We automate the defined research and document work while keeping interpretation, escalation and approval with the accountable person.
£176m
FCA FINES IN 2024, TRIPLED YoY
872k
SARs FILED TO THE NCA 2023–24
75%
OF UK FS FIRMS ALREADY USE AI
Sources: FCA 2024 fines page; NCA SAR Annual Report 2023–24; Bank of England / FCA, Artificial Intelligence in UK Financial Services 2024.
Compliance teams spend too much time moving information
Reading the FCA, PRA and ICO output. Mapping a new rule to the policies it touches. Drafting control narratives. Disposing the first line of an AML alert. Reviewing a financial promotion against COBS and the Consumer Duty. It all chews up the same kind of hour.
Expensive too, because the people doing it are expensive, and the volume isn't dropping. Starling paid £29m for AML failings in 2024. Metro paid £16.6m the same year for missing 60 million transactions worth £51bn. Capita paid the ICO £14m in 2025.
An LLM doesn't get to be the SMF holder. It does the reading so the SMF holder can do the judging.
WITHOUT THE AI
- Analyst reads every PS, CP and Dear CEO letter
- Control narratives copied between audits
- L1 AML alerts queued, 95% false positive
- KYC packs typed from PDFs by hand
- Promotions reviewed against a printed checklist
WITH IT
- Daily brief: what changed, who it touches, what to do
- Narratives drafted from the evidence, you sign off
- Alerts pre-summarised with the reasoning attached
- KYC data extracted, flagged, ready for review
- Promotions pre-checked, citations next to each finding
Compliance work worth automating
We focus on defined review steps where retrieval, a human decision and a retained audit record can reduce handling time without changing accountability.
Horizon scanning
Watch the FCA, PRA, ICO, NCA, JMLSG, HMT and OFSI feeds. Every morning, your team gets a brief: what's new, who it affects, which policy or control it touches, what to read in full.
Policy & control mapping
Drop in a new policy statement. The system finds the policies, procedures and controls it changes, drafts the updates, and flags the gaps your second line needs to decide on.
AML & sanctions triage
Alerts arrive with a draft disposition: customer history, transaction context, sanctions match strength, the policy clause that triggered it. Your analyst confirms or escalates instead of starting from scratch.
KYC & DPIA drafting
Onboarding packs read and structured. Adverse media checked. DPIAs and vendor questionnaires drafted from your templates. Reviewer sees a half-finished pack, not a blank form.
Promotions & audit prep
Financial promotions pre-checked against COBS, CONC and the Consumer Duty. Audit packs assembled from the evidence already in your systems. Findings come with citations, not vibes.
Controls for regulated AI work
Compliance is one of the few functions where the regulator can ask you to prove how the answer was produced. ChatGPT in a browser tab can't show its working, can't be governed, and can't sit inside SS1/23.
What we build sits the other way round. Retrieval over your own documents. Citations under every output. A logged trail of prompt, source, output and reviewer. Hosted on infrastructure you can point a regulator at.
Hallucinated citations
Generic LLMs invent FCA Handbook references that look real. Ours only cites text it retrieved, and links the reviewer to the source paragraph.
No audit trail
SYSC and SS1/23 expect reproducible reasoning. A chat window doesn't save the prompt, retrieval set, model version and reviewer sign-off. Ours does, automatically.
Article 22 risk
UK GDPR Article 22 restricts solely-automated decisions with legal or similarly material effect on the individual. We design human-in-the-loop into the workflow, not as an afterthought.
Data residency
Pasting client KYC into a public chatbot is a SYSC and UK GDPR problem. Your data stays in your tenancy, training opt-outs on, logs you own.
Prompt injection in documents
Onboarding docs and contracts can carry instructions that hijack a naive pipeline. We treat document content as untrusted input, not as a system prompt.
How we start
A short scoping, then the first workflow live. The audit, governance and SS1/23 model documentation written as we go, not bolted on at the end.
You keep your existing GRC platform. We sit alongside it, doing the reading and the drafting that nobody bought it to do.
BOOK A SCOPING CALLScoping
We sit with your MLRO, DPO and second line. We watch the work that's eating the team. We come back with two or three candidate workflows, scoped and priced, and a written view on the SS1/23 model risk tier each one lands in.
Connect your sources
FCA, PRA, ICO and HMT feeds. Your policies, procedures and control library. Your AML platform, KYC system, ticketing and shared drives. Indexed into a private vector store inside your tenancy, with permissions that match the source systems.
Launch the first workflow
Live for the team. Citations in every output. Reviewer attestation captured. Prompt, retrieval set, model version and decision logged for every run. We sit with the analysts using it and tune it weekly.
Hand over the governance pack
Model card, SS1/23-aligned documentation, DPIA, prompt injection and bias test results, monitoring dashboards, the SMF holder named on the model inventory. Everything you need when the regulator or the internal auditor asks how it works.
Frameworks that apply to compliance AI
Nothing exotic. The same standards your second line already wants to see, applied to the AI from day one rather than papered over at the end.
Model Risk Management
In force since 17 May 2024. Five principles: identification, governance, development, validation, mitigation. Our deliverable includes the model inventory entry, the validation evidence and the SMF accountability mapping.
SYSC, SM&CR, Consumer Duty
The FCA's April 2024 update was clear: no new AI rules, the existing framework applies. SYSC for systems and controls, SM&CR for accountability, PRIN 2A Consumer Duty for outcomes. We design against all three.
ICO guidance & Article 22
DPIAs written. Lawful basis recorded. Article 22 respected by keeping a human in the loop on anything with legal or similarly material effect. ICO transparency expectations on accuracy and individual rights designed in.
AI management system
The first certifiable AI standard, published Dec 2023. We build to the control objectives so if you decide to certify later, the evidence is already there.
Third-party & ICT risk
DORA applied from 17 January 2025 for EU-facing firms. PRA SS2/21 for outsourcing. Where a model provider is in scope, we paper it correctly, including Article 30 clauses where they apply.
Annex III high-risk
Creditworthiness and life and health insurance pricing are on the Annex III high-risk list. The Commission's current timeline puts these rules on 2 December 2027. We still design the logging, human review and records from the start where a workflow is likely to fall within that category.
Recent FCA enforcement examples
Four enforcement actions from the last eighteen months. Each one started with a control that someone, somewhere, was supposed to be running.
Starling Bank, £29m
Repeated AML and sanctions failings. 54,000 accounts opened for 49,000 high-risk customers between Sept 2021 and Nov 2023. Sanctions screening had covered only a fraction of the full list since 2017. (FCA)
Metro Bank, £16.6m
Transaction monitoring failures. Around 60 million transactions worth £51bn were not properly monitored because of data input errors in the AML system. Nobody was reading what came out. (FCA)
Capita, £14m
The ICO's largest-ever data protection settlement. £8m as controller, £6m as processor, following the 2023 cyber incident affecting clients including pension schemes. (ICO)
FCA fines, £176m
More than triple 2023. 37 Final Notices. Two insider dealing convictions. £514m in additional consumer redress on top. Themes: financial crime, vulnerable customers, pensions mis-selling. (FCA)
Sources: FCA press releases (Oct 2024, Nov 2024); ICO enforcement notice (Oct 2025); FCA 2024 fines page; Financial Planning Today coverage.
Crystal and ClimateEQ keep people in control
Crystal runs agreed compliance checks and keeps evidence with each deal. ClimateEQ scores carbon-literacy pledges and drafts feedback, while reviewers retain the final decision.
When this is worth discussing
We work best when there is a real operating problem, enough volume to measure and people from the affected teams who can make decisions.
Usually a good fit
- An established UK business, usually with annual revenue above £10m
- A repeated process with a known cost, delay, error rate or capacity problem
- A senior sponsor and a day-to-day owner who understand the work
- Access to the relevant staff, systems, sample records and security requirements
We may point you elsewhere
- A standard product already covers the process well
- The requirement is a one-off small build with no wider operating case
- There is no owner or access to the people and data needed to test the result
- The plan relies on AI making high-impact decisions with nobody responsible for review
Questions the buying team will ask
Will the regulator have a problem with this?
Not if you build it the way they've already asked. The FCA's April 2024 AI Update said the existing framework applies, not a new one. We design to SYSC, SM&CR and Consumer Duty from day one, and document the model under SS1/23. The regulator's complaint is usually with firms that can't show how an output was produced. Ours can.
What about hallucinations?
The reason generic chatbots invent FCA Handbook references is that they're guessing from training data. Our workflows retrieve from your indexed sources first, then only let the model speak about what it found. Every output cites the paragraph. If it can't cite, it says so. A reviewer still signs off.
Where does our data go?
Your tenancy, in the region you specify. Training opt-outs on. Logs you own. Where we use a frontier model, it's via an enterprise API with zero-retention and a signed DPA. We tell you which provider before you commit, and we paper the third-party risk under SS2/21 or DORA where it applies.
Does this replace the team?
The workflow can reduce defined reading, copying and data-entry steps. Judgement, escalation, regulator engagement and SMF sign-off remain with people. The value case should measure queue time, review capacity and error rates without assuming a staffing outcome.
We already have a GRC platform. Do we rip it out?
Almost never. Your GRC is the system of record for policies, controls and risks. We sit alongside, doing the reading and drafting it was never built for, and we write back into it via API. You keep the audit trail in one place.
How long until we see it working?
We define one controlled workflow, its sources, accountable owner and review evidence. It runs alongside the existing process until the compliance team has enough results to approve wider use.
What about the EU AI Act?
If a workflow touches Annex III categories such as creditworthiness or life and health insurance pricing, we assess it as a likely high-risk system from the start. The Commission's current timeline puts those rules on 2 December 2027. Documentation, logging and human review are useful controls now, rather than work to begin near the application date.
How much does it cost?
Scoping is fixed-fee. The first workflow is priced before we start, scoped against the source systems we connect. Ongoing running costs are mostly the model API, which we tell you up front and meter so you can see it. No per-seat licence creep.
Talk to us about your compliance workflow
Tell us which compliance workflow has the most volume, the source material and the accountable owner. We will identify the first controlled use case and the evidence its oversight process needs.