What is the Mills Review?
The Mills Review is the FCA's landmark report AI and the future of retail financial services, led by FCA Executive Director Sheldon Mills and published on 6 July 2026. The FCA calls it the first review of its kind by a financial regulator anywhere in the world.
It sets out how AI could change retail finance by 2030, and it is built around an AI autonomy spectrum with five levels, four system shifts, and seven priority recommendations to the FCA Board. Its conclusion is that the existing framework is sound and needs "progressive adaptation, not wholesale replacement." For the full walkthrough, see what the Mills Review is. This piece is about one question the national coverage skipped: what does it actually mean for mortgages?
Why the Mills Review matters now for mortgage firms
Most coverage read the Review as a story about regulating ChatGPT. For a mortgage network, lender or broker, the more useful reading is different: the Review does not change the rules, it raises the bar on how you prove you are meeting them.
The FCA is explicit that it is not writing an AI rulebook. The Consumer Duty, the Senior Managers Regime and operational resilience were, in its words, designed to flex across changing business models. What changes is that as AI moves from helping a human to acting for them, "firms may find it more difficult to evidence consumer understanding, demonstrate good outcomes, and maintain clear lines of accountability."
That is the whole game for lending. The mortgage market already runs on evidence: suitability rationales under MCOB, affordability assessments, Consumer Duty outcomes monitoring, financial promotions sign-off. The Review is a signal that this evidence burden is about to get heavier and more continuous, precisely as firms lean on AI to carry more of the load. The firms that treat that as an opportunity are the ones the Review says could "win business" on the strength of trusted, auditable AI processes.
The autonomy spectrum, mapped to mortgage compliance
The most useful thing in the Review for a compliance leader is a single table. It maps its five-level autonomy spectrum directly onto risk and compliance work, and it reads like a description of the next three years in any lending operation:
- Operator: an analyst asks AI to summarise a KYC file or explain a rule.
- Collaborator: an investigator and AI jointly build an anti-money-laundering case file, testing hypotheses.
- Consultant: AI recommends specialist lending decisions and leads alert triage, while underwriters guide the edge cases and humans set risk appetite.
- Approver: AI investigates suspicious activity and drafts the SAR, an analyst approves the filing; AI prepares regulatory returns, a senior manager signs off.
- Observer: AI adapts detection strategies and monitors customer outcomes, while a committee oversees the results and humans watch for drift.
There is a parallel row for front-office work that will be familiar to any broker or network: from an adviser using AI to summarise fact-finds and draft suitability letters at the lower end, up to an agent that renegotiates products across providers with the customer approving each step.
Mortgage firms will not race to full autonomy; the Review is clear that few parts of financial services will. But most lending compliance work will move a step or two along this line, and the regulatory questions change as it does. Early on, they are about accuracy. Further along, they become about consent, accountability and redress: harder questions, and the ones a mortgage firm needs to be able to answer.
This is where checking every case rather than a sample stops being a nice-to-have. When AI triages alerts or pre-checks a case file, the compliance question is no longer "did my reviewer get this one right." It is "can I show that every case was checked, and evidence why each answer was reached." That is what continuous, full-population case-file review is built for: the reasoning and source evidence attached to each finding, rather than a quarterly sample.
Consumer Duty and the Senior Managers Regime under an AI lens
The Review singles out two regimes that come under the most pressure as autonomy grows, and both are central to mortgage compliance.
The Consumer Duty applies cleanly while AI supports human decisions. It gets harder as journeys become dynamic and personalised. The Review flags that "dynamic and personalised journeys may make it harder to evidence that consumers genuinely understand products, decisions and risks," and that one-off consent may not be enough when systems act continuously. For a lender, that lands directly on the consumer understanding and consumer support outcomes. For the detail, see our guide to the Consumer Duty cross-cutting rules.
The Senior Managers Regime is reassuring and demanding at the same time. Accountability does not move to the machine. A senior manager remains answerable for outcomes even where a model's behaviour, performance and updates sit partly outside the firm's direct control. What changes is how an SMF demonstrates the "reasonable steps" they took. The Review's answer, on page 81, is assurance: "pre-deployment and ongoing checks" that let a senior manager evidence control, including over third-party models running upstream. Full observability, every decision, override and timestamp logged, is how you turn "we were careful" into something a supervisor can inspect.
Model risk management: from point-in-time checks to live monitoring
If there is one operational change the Review points to, it is this. AI models are not like the static rules engines most compliance functions were built around. They update continuously, they draw on third-party inputs the firm did not build, and they can drift.
So the Review calls for model governance to extend "beyond validation at the point of deployment towards live monitoring, tracking drift, model degradation and outliers," supported by "end-to-end controls across the AI lifecycle." That is a real shift for lenders who currently validate a model once and revisit it annually. The nearest existing anchor is the PRA's model risk management principles, which already expect lifecycle governance covering vendor models regardless of the technology.
For a mortgage firm, the practical translation is continuous monitoring of the AI in your compliance and underwriting stack, not a once-a-year model review. That is the premise behind real-time compliance monitoring: a check that runs on every case as it moves, with the evidence captured as it goes, so drift shows up as a signal rather than as a bad outcome discovered months later.
What this looks like in practice
Consider a large UK mortgage network, the kind that oversees several thousand advisers across appointed representative firms. Its file-checking team can realistically review a small percentage of cases by hand. The rest are managed by risk rating and hope. When the Consumer Duty raised the bar on evidencing outcomes, the gap between "cases we reviewed" and "cases we can stand behind" became the thing that kept the compliance director awake.
The path the Mills Review describes starts modestly. First, AI at the operator level: summarising files, explaining anomalies, drafting the first pass of a suitability assessment for a human to check. As confidence builds, it moves toward triaging every case, flagging the handful that need a human, and attaching its reasoning to each. The network does not remove its compliance officers. It points them at the cases that actually need judgement, and it can now evidence that all of the cases, not five percent of them, were checked.
That is the same story in a specialist lender wrestling with document-heavy case packaging, or a directly authorised broker firm carrying its own Consumer Duty obligations. Document intelligence that reads photos, scans, protected PDFs and emails, the messy reality of a real case file, turns the Review's "document handling automation" from a slide into a Tuesday. The Review's own market view for consumer finance expects exactly this: more automated search, qualification and document handling. It connects to the wider picture in AI in mortgage compliance.
What mortgage firms should do this quarter
- Map where AI already touches regulated decisions in your firm, from suitability drafting to affordability to financial promotions, and place each on the autonomy spectrum.
- Ask the evidence question: for any AI-assisted process, could you show a supervisor what it did, and why, on any given case, today?
- Move from sampling toward whole-population checking on the processes where AI is doing the work, so the cases nobody reviewed are no longer your blind spot.
- Assign a named senior manager to each AI system, including third-party models, and start capturing the assurance evidence they would need to show reasonable steps.
- Shift model oversight from annual review to continuous monitoring, so drift and degradation surface as signals rather than as outcomes discovered too late.
Frequently asked questions
Is the Mills Review new regulation that mortgage firms must comply with?
Does the Mills Review say AI will replace mortgage brokers?
What does the Mills Review mean for the Senior Managers Regime?
How does the Consumer Duty apply to AI in lending?
When will the FCA act on the Mills Review?
AI in mortgage compliance: oversight first, speed follows
AI in mortgage compliance is the use of artificial intelligence to check mortgage case files against regulatory rules, flagging issues for a human to approve before the lender decides. Lenders are racing to put AI into underwriting for speed, but brokers named compliance checking the bigger prize: unsupervised, unauditable AI just reaches the wrong answer quicker.
Point of viewAI's real job in wealth management is compliance, not advice
In wealth management, AI's most transformational use is compliance, not adviser productivity. Compliance has always run on sampling, reviewing two or five percent of files because that is all human bandwidth allowed. AI lets a firm check every case against its own criteria, changing the statistical basis of the control itself.

Dawid Kotur
CEO and co-founder, Curvestone
Dawid co-founded Curvestone in 2024 after a decade working at the intersection of financial services and applied machine learning. He writes about the strategic direction of regulated-industry AI, the FCA's evolving approach to model risk, and the operational changes UK lenders are making in response to Consumer Duty. He sits on the FCA Smart Data Accelerator advisory cohort.
LinkedIn