The line everyone skipped
On 6 July the FCA published the Mills Review, its landmark look at how AI reshapes retail financial services by 2030. The headlines went to one idea: the regulator might pull general-purpose tools like ChatGPT inside the perimeter. Fair question, and a big one.
The sentence that matters if you run a lending business was on page 31, and almost nobody quoted it. Governance, the Review says, "is likely to become an enabler of capability. Firms that can demonstrate auditability, explainability where needed, robust testing, clear permissions, effective monitoring and escalation will be able to deploy AI more confidently." Then the line I keep coming back to: "acquiring a reputation for trusted AI processes could win business."
For as long as I have worked in this industry, compliance has been the cost you contain, a tax on the real work. The Mills Review flips that. Governance is no longer the brake on AI adoption; it is what decides whether you get to adopt AI at all, and how fast. Here is the claim I would stake the company on: the firms that win with AI won't be the ones that adopt it fastest. They'll be the ones that can prove what it did, and why. Control is the new speed.
Control is the new speed.
Why "we review a sample" is running out of road
The Review is not a rulebook. It writes no new AI-specific rules. Its argument is that the existing framework, the Consumer Duty, the Senior Managers Regime, operational resilience, was built to flex, and that the pressure now falls on how firms evidence their control rather than on the rules.
That is a subtle point with a sharp edge. When an AI system prepares a suspicious activity report or a regulatory return and a senior manager signs it off, the Review is explicit about what carries the weight, on page 81: "assurance tools, including pre-deployment and ongoing checks, could better enable senior managers to take 'reasonable steps' to prevent regulatory breaches or misconduct, including risks from third-party models operating upstream."
Plainly: the regulator is telling accountable executives that in an AI world, you discharge your duties by showing your working. Not the slide deck, the evidence: every check, every override, every timestamp.
Most compliance functions in mortgages and lending still work by sampling. You cannot review every case by hand, so you review a slice, extrapolate, and manage the rest on a risk rating. Everyone knows the gaps sit in the cases nobody looked at. The Review maps where this breaks. It describes an autonomy spectrum, five steps along which the human moves from doing the work to setting the boundaries and watching outcomes. As you move along that line, the human stops making each decision. And once the human is not in every decision, a sample tells you almost nothing about the thousands of decisions nobody saw.
Compliance spent a decade as the cost of doing business. The Mills Review just made it a reason you win it.
The obvious objection: isn't this just more burden?
I can hear the pushback, because I hear it every week. Great, another thing to document. More cost, more headcount, more friction.
That reading misses what the Review is doing. It is not more paperwork bolted onto the old model. It describes a shift from a point-in-time check at deployment to continuous monitoring across the life of the model. The Review is blunt that model risk management must extend "beyond validation at the point of deployment towards live monitoring, tracking drift, model degradation and outliers." The PRA has been heading the same way with its model risk management principles.
Firms that build that capability do not just satisfy a supervisor. They get to deploy AI into more of the business, with more confidence, because they can see what it is doing and stop it when it drifts. Firms that cannot will move slower, or carry risk they cannot see. There is a consumer cost, too: the Review found only around 40% of people correctly recognise there is no formal route to recourse when they lean on a general-purpose AI tool for a money decision. Trust lost at that scale does not come back cheaply. Governance, done properly, is not the tax. It is the licence to operate at speed.
What I would do about it
If I ran compliance at a network or a lender now, I would not wait for the FCA's promised "good and poor practice" guidance later this year to start. I would ask one question of every AI-touched process in the business: if a supervisor asked us to show what this did on any given case, and why, could we? Today, not after a six-month project.
If the answer is no, that is the gap to close, whether or not you ever deploy another model. Being able to check every case rather than a sample, and to evidence each finding with its reasoning and source, is what the Review is really asking for. It is also what we build at Curvestone. And it is about to become the difference between the firms that get to use AI and the firms that only talk about it.
Compliance spent a decade as the cost of doing business. The Mills Review just made it a reason you win it.
The agentic advantage: why regulated firms are built to win with AI
Agentic AI security is governing what an autonomous agent does on a live case, not just what it says: bounding its authority, forcing escalation, and keeping every action reversible and audited. Regulated firms already run that discipline every day. Partner with AI built to that spec and the agentic era is an advantage, not a threat.
Point of viewAI explainability is not optional in regulated compliance
AI explainability means a compliance officer can see which rule an AI flag relied on, which document triggered it, and what evidence sits behind it. In regulated lending it is not a premium feature. It is the baseline the FCA already expects, because a decision no one can explain is a decision no one can defend.

Dawid Kotur
CEO and co-founder, Curvestone
Dawid co-founded Curvestone in 2024 after a decade working at the intersection of financial services and applied machine learning. He writes about the strategic direction of regulated-industry AI, the FCA's evolving approach to model risk, and the operational changes UK lenders are making in response to Consumer Duty. He sits on the FCA Smart Data Accelerator advisory cohort.
LinkedIn