Skip to main content
Curvestone AI
Definition

The Senior Managers Regime and AI: what the Mills Review means

Updated

What is the Senior Managers Regime?

The Senior Managers Regime is the part of the FCA's Senior Managers and Certification Regime (SM&CR) that ties responsibility for regulated activity to named individuals. Senior decision-makers are held personally accountable for how their firm is run, and the FCA sets out the framework each firm must apply.

In practice it rests on four things:

  1. Senior Management Functions, allocated to named people the FCA approves.
  2. A Statement of Responsibilities for each senior manager, setting out what they own.
  3. The duty of responsibility: taking "reasonable steps" to prevent regulatory breaches in that area.
  4. Conduct rules that set enforceable standards of individual behaviour.

The point of the regime is that when something goes wrong, the FCA can identify who was responsible. That principle does not change because a decision was made with software. It does get harder to apply, which is what the Mills Review examines.

What the Mills Review says about the Senior Managers Regime

The Review does not recommend new rules. It concludes the existing framework is sound and needs "progressive adaptation, not wholesale replacement," and it notes that no firm it engaged argued the accountability model should change. For a fuller overview, see what the Mills Review is.

Where it flags pressure is in application. The Review maps each regime against its five-level autonomy spectrum, and finds the Senior Managers Regime operates cleanly while AI supports human decisions, at the operator, collaborator and consultant levels. Strain appears as systems move toward approver and observer, where AI prepares or executes actions and the human sets boundaries rather than making each call. At that point, the Review warns, "meaningful human control" becomes harder to evidence even though accountability remains clear in principle.

Why "reasonable steps" gets harder as AI acts

The duty of responsibility asks a senior manager to show they took reasonable steps. That is straightforward when a person makes the decision and a reviewer checks a sample. It is harder when an AI system triages alerts, drafts a suspicious activity report for sign-off, or prepares a regulatory return, and does so continuously across thousands of cases.

The Review is direct about the gap this can open: without clear assurance, the increasing opacity of more autonomous AI, combined with model drift, could create "a potential gap between the outcomes of AI mediated decisions and the ability of the regulator to identify a de facto responsible party." Accountability stays with the individual, but demonstrating the steps behind it needs different evidence. This is the same evidencing shift we describe for the Consumer Duty.

Assurance: how a senior manager evidences control

The Review's answer is assurance. On page 81 it says "assurance tools, including pre-deployment and ongoing checks, could better enable senior managers to take 'reasonable steps' to prevent regulatory breaches or misconduct, including risks from third-party models operating upstream."

In plain terms, a senior manager evidences control by being able to show what an AI system did and why, before it went live and while it runs. That means pre-deployment testing against real cases, monitoring that flags when a system moves outside expected behaviour, and a full record of decisions, overrides and timestamps. Explainability is the floor here, not a nice-to-have, as we argue in why explainability is not optional. Running that check on every case rather than a sample is the difference between an assertion and an evidence trail a supervisor can inspect.

The accountability chain and third-party models

Most firms will not build their own models. They will rely on general-purpose and domain-specific models from a small number of providers, updated on the provider's schedule, not the firm's. The Review is clear that this does not move the responsibility: the firm and its senior managers remain accountable for outcomes "even where aspects of model behaviour, performance and change sit outside their direct control."

That makes vendor oversight a senior-management task, not just a procurement one. Firms are beginning to name technical-governance responsibilities in Statements of Responsibilities, map their model dependencies, and require the same evidence from a bought-in model that they would from an internal one. The dependency is managed through oversight and assurance, never transferred.

What this looks like in practice

Take a mid-sized specialist lender that has introduced AI to pre-check affordability and flag suitability issues before a human underwriter signs off. The accountable senior manager is not a new "head of AI." It is the existing SMF who owns compliance oversight for that business line.

Their reasonable-steps evidence is no longer a policy document and a quarterly sample. It is a live picture: which cases the model checked, what it flagged, where a human overrode it and why, and an alert when the model's behaviour drifts from its tested baseline. When the FCA asks how the firm governs AI in that process, the answer is a record, not an assurance. That is the practical shift the Mills Review is pointing at, and it maps closely to AI in mortgage compliance more broadly.

Senior manager checklist for AI

  1. Assign a named senior manager to each AI system in a regulated process, including bought-in models.
  2. Update the Statement of Responsibilities to reflect who owns AI governance for that area.
  3. Require pre-deployment assurance: testing against real cases before a system influences outcomes.
  4. Put ongoing monitoring in place that flags drift, degradation and out-of-bounds behaviour.
  5. Keep a standing evidence pack: decisions, overrides, timestamps and model changes, ready for a supervisor.
Questions

Frequently asked questions

Does the Senior Managers Regime apply to AI-driven decisions?
Yes. The Senior Managers Regime applies regardless of the technology used. A named senior manager remains accountable for outcomes even when an AI system supports or prepares a decision. The Mills Review is explicit that accountability does not transfer to the model as automation increases; it stays with the individual.
What are "reasonable steps" for AI under the Senior Managers Regime?
Reasonable steps are the actions a senior manager takes to prevent regulatory breaches in their area. For AI, the Mills Review points to assurance: pre-deployment testing and ongoing monitoring that let the manager evidence control over how a system behaves, including third-party models running upstream that the firm did not build.
Can a firm delegate accountability for AI to its vendor?
No. A firm can outsource the technology, but not the regulatory accountability. Under the Senior Managers Regime the named individual stays answerable for outcomes, even where a third-party model's behaviour sits partly outside the firm's control. The Mills Review stresses managing that dependency through oversight and assurance, not transferring the responsibility.
Does the Mills Review change the Senior Managers Regime?
No. The Review recommends no new rules and says the Senior Managers Regime remains sound. It notes that respondents did not seek changes to it. What it flags is interpretation: the FCA should clarify how the regime applies as AI becomes more autonomous, so accountability stays clear when decisions are delegated.
Who is the accountable senior manager for AI in a firm?
There is no single "AI" senior manager function. Accountability follows the activity: the SMF responsible for the affected area, such as compliance oversight or the relevant business line, owns the AI used within it. Many firms are now naming technical-governance responsibilities in Statements of Responsibilities as AI spreads across functions.
Sources
  1. 01FCA, The Mills Review (full report)
  2. 02FCA, Senior Managers and Certification Regime
  3. 03FCA press release, 6 July 2026
  4. 04PRA SS1/23: Model risk management principles for banks
  5. 05Bratby Law: Mills Review, AI, autonomy and accountability
Related reading
Dawid Kotur
Written by

Dawid Kotur

CEO and co-founder, Curvestone

Dawid co-founded Curvestone in 2024 after a decade working at the intersection of financial services and applied machine learning. He writes about the strategic direction of regulated-industry AI, the FCA's evolving approach to model risk, and the operational changes UK lenders are making in response to Consumer Duty. He sits on the FCA Smart Data Accelerator advisory cohort.

LinkedIn

Compliance that thinksahead. Automatically.

Join mortgage networks, lenders, and legal firms using Curvestone to review cases at scale.