What is the Mills Review?
The Mills Review is the FCA's landmark report AI and the future of retail financial services, led by FCA Executive Director Sheldon Mills and published on 6 July 2026. The FCA describes it as the first review of its kind by a financial regulator anywhere in the world.
It draws on 140 written submissions and a survey of more than 5,000 UK consumers, and it is built around four things:
- An AI autonomy spectrum: five levels describing how the human role changes as AI takes on more, from operator to observer.
- Four system shifts the FCA expects by 2030: the transformation of firms, new consumer journeys, a reshaped competition landscape, and amplified financial crime and cyber risk.
- Seven priority recommendations to the FCA Board.
- One conclusion: the existing framework is sound and needs "progressive adaptation, not wholesale replacement."
The scope is retail financial services broadly: mortgages, savings, pensions, insurance, payments and consumer credit. What ties it together is a single argument about where AI is taking the industry, and what the regulator should do about it.
Why the Mills Review matters now
Most coverage read the Review as a story about whether the FCA will regulate ChatGPT. The more useful reading, if you run or advise a regulated firm, is different: the Review does not change the rules, it raises the bar on how you prove you are meeting them.
The FCA is explicit that it is not writing an AI rulebook. The Consumer Duty, the Senior Managers Regime and operational resilience were, in its words, designed to flex across changing business models. What gets harder is the evidence. As AI moves from helping a person to acting for them, the Review warns, "firms may find it more difficult to evidence consumer understanding, demonstrate good outcomes, and maintain clear lines of accountability."
There is a genuine opportunity underneath the caution. The Review frames AI as a way to close long-standing gaps: only 9% of consumers use traditional financial advice, just 30% hold life or income protection, and around £300bn sits in low-interest accounts. AI could help more people make better decisions. But the firms that capture that upside, the Review says, will be the ones that can demonstrate "trusted AI processes," to the point that doing so "could win business." Governance stops being a cost and becomes the thing that lets you deploy AI at all. We argue that case in full in why compliance is becoming a competitive advantage.
The AI autonomy spectrum explained
The spine of the Review is a spectrum of autonomy, adapted from published research on levels of autonomy for AI agents. It describes the same technology at five points, defined by what the human is doing:
- Operator: the human uses AI as a tool, for example to summarise product terms.
- Collaborator: the human and AI plan and act together.
- Consultant: AI recommends and the human decides.
- Approver: AI prepares or initiates an action, and the human authorises it.
- Observer: AI acts within set boundaries while the human monitors outcomes.
The Review is careful to say this is not a prediction that everything becomes fully autonomous. Few parts of financial services will. The value of the spectrum is that it shows how the benefits and the risks change as the human moves from doing the work to setting the boundaries. Early on, the hard questions are about accuracy and reliance. Further along, they become about consent, accountability and redress. That shift is the reason the Review spends so much time on how existing rules hold up as firms move along the line.
The four system shifts
The Review sets out four changes it expects to reshape retail finance by 2030.
The transformation of firms. AI moves from back-office efficiency into core operations: underwriting, compliance, claims, product design. The Review's own view is that AI governance and model risk management become "a core capability," not an optional extra.
New consumer journeys. People increasingly delegate to AI that acts on their behalf. Journeys become agent-led rather than a series of one-off human decisions.
A reshaped competition landscape. Whoever owns the AI layer that sits between a consumer and their money becomes a gatekeeper. The Review flags heavy dependence on a small number of upstream model providers as a system-wide risk.
Amplified financial crime and cyber risk. The same capabilities that help consumers also help those who target them. Deepfakes, synthetic identities and personalised social engineering make attacks faster and more convincing, and defences have to keep pace.
The seven recommendations
The Review makes seven priority recommendations to the FCA Board:
- Secure and adapt the regulatory perimeter, including a review of general-purpose AI tools used for financial decisions, recommended within three to six months.
- Strengthen system-wide coordination and oversight, domestically and internationally.
- Monitor the transition to autonomous models and adapt regulatory frameworks, clarifying how the Consumer Duty, the Senior Managers Regime and model risk management apply as autonomy grows.
- Scale up the FCA's AI Lab to support AI models and system innovation.
- Enable the foundations for agentic finance, through a trusted framework for AI agents.
- Build and adopt an AI-enabled agentic supervisory model, so the regulator itself can monitor risks across firms in closer to real time.
- Develop a trusted public-interest AI-enabled financial capability service, free at the point of use.
The recommendations are designed to work as a set, covering the rules and perimeter, supervision, capability, and consumer access.
What the Mills Review means for regulated firms
Strip away the detail and the Review lands on one operational point: as AI takes on more decisions, firms have to evidence more, and evidence it continuously.
Two regimes take the most weight. The Consumer Duty gets harder to satisfy when personalised, AI-driven journeys make it difficult to show a customer genuinely understood a product, or that a one-off consent still covers a system acting continuously. The Senior Managers Regime holds, accountability stays with named individuals, but the Review points to assurance, "pre-deployment and ongoing checks," as how a senior manager evidences the reasonable steps they took, including over third-party models they did not build.
The through-line is auditability. When a person is no longer making each decision, "we reviewed a sample" tells a supervisor very little about the decisions nobody saw. The firms ready for this can check every case rather than a slice, and attach the reasoning and source evidence to each finding. For the sector-specific version of this, see what the Mills Review means for mortgages.
What regulated firms should do this quarter
- Map where AI already touches regulated decisions in your firm and place each use on the autonomy spectrum.
- Ask the evidence question: for any AI-assisted process, could you show a supervisor what it did, and why, on any given case, today?
- Assign a named senior manager to each AI system, including third-party models, and start capturing the assurance evidence they would need.
- Move from periodic model review to continuous monitoring, so drift and degradation show up as signals rather than as outcomes discovered late.
- Track the FCA's next moves: the three-to-six-month perimeter review and the "good and poor practice" guide expected later in 2026.
Frequently asked questions
Who wrote the Mills Review?
Is the Mills Review law or new regulation?
What is the AI autonomy spectrum?
What are the seven recommendations in the Mills Review?
When will the FCA act on the Mills Review?
The agentic advantage: why regulated firms are built to win with AI
Agentic AI security is governing what an autonomous agent does on a live case, not just what it says: bounding its authority, forcing escalation, and keeping every action reversible and audited. Regulated firms already run that discipline every day. Partner with AI built to that spec and the agentic era is an advantage, not a threat.
Point of viewAI explainability is not optional in regulated compliance
AI explainability means a compliance officer can see which rule an AI flag relied on, which document triggered it, and what evidence sits behind it. In regulated lending it is not a premium feature. It is the baseline the FCA already expects, because a decision no one can explain is a decision no one can defend.

Dawid Kotur
CEO and co-founder, Curvestone
Dawid co-founded Curvestone in 2024 after a decade working at the intersection of financial services and applied machine learning. He writes about the strategic direction of regulated-industry AI, the FCA's evolving approach to model risk, and the operational changes UK lenders are making in response to Consumer Duty. He sits on the FCA Smart Data Accelerator advisory cohort.
LinkedIn