Consider this scenario. A wealth manager at a mid-sized FCA-regulated firm asks ChatGPT to draft a suitability letter for a 68-year-old retired client moving £400k into equity-heavy portfolios. The AI returns a confident, well-structured letter. The adviser glances at it, edits a few details, sends it. Six months later, the markets correct, the client loses 30%, and complains. The firm faces a regulatory enquiry.

The instinctive defence might be: "The AI generated the letter. We were using an industry-standard tool."

That defence will not work in the way many firms expect.

Under the Senior Managers and Certification Regime (SMCR), Conduct Rule 2 requires that all certified staff act with due skill, care and diligence. The FCA has been clear through its AI Update (October 2024), the AI Public-Private Forum, and the AI Live Testing programme that existing rules and principles already apply to AI use. There is no separate AI carve-out from conduct, supervision, or governance expectations.

What this means in practice: when AI is used in client-facing processes, the firm remains responsible for the outcome, and named senior managers must be able to evidence reasonable steps to ensure compliance within their assigned responsibilities. Whether a specific individual is personally liable depends on their Statement of Responsibilities, the firm's structure, and whether reasonable steps were genuinely taken. It is not automatic on the existence of an AI-generated output.

But the absence of an automatic personal liability rule should not weaken the implication for senior managers. It should strengthen it. SMCR was designed to make accountability traceable, tying specific responsibilities to named individuals through documented Statements of Responsibilities. AI does not change the accountability model. It changes the evidence required to demonstrate that reasonable steps were taken within it.

Most wealth managers haven't priced this in yet.

What SMCR actually requires when AI is involved

The FCA has not published a single prescriptive checklist for AI use under SMCR. What it has been consistent about, across its AI Update, AI Discussion Paper DP5/22, and the AI Live Testing programme, is that existing rules apply. The substance of those rules, applied to AI use, points toward a defensible set of expectations.

For senior managers, the operative question becomes: Can you demonstrate the reasonable steps you took to ensure AI-generated outputs met the regulatory standards your role makes you accountable for?

There is no single FCA-prescribed list. But across the regulator's public statements and the industry's emerging best practice, four areas have become clear:

Pre-execution validation. Before AI-generated content reaches a client, can you evidence that it was checked against the firm's approved guidelines? "Checked" here means a documented, repeatable process, not an undocumented adviser review.

A reconstructable audit trail. Can you reconstruct what the AI was asked, what it returned, what was changed, and what was sent? If the regulator requests evidence later, can you produce it without piecing it together from email threads?

Grounded knowledge. Is the AI working from your firm's actual policies, suitability frameworks, and risk thresholds, or is it pulling from generic training data? An AI that does not know your firm's documented standards cannot be relied on to apply them.

Named oversight. Who reviews AI-generated content before it reaches clients? When? How is the review evidenced? SMCR requires named individuals against responsibilities. Software cannot be named in a Statement of Responsibilities.

A firm that cannot evidence these areas against its AI-assisted workflows is, in SMCR terms, a firm whose senior managers may struggle to demonstrate reasonable steps. The personal liability exposure is real, even if the trigger for any individual case depends on the specific facts.

What this means for wealth managers right now

If your firm uses AI tools (ChatGPT, Copilot, Claude, Gemini, or sector-specific platforms) in any client-facing workflow, three questions usefully test your SMCR exposure:

  1. Is the AI grounded on your firm's actual policies, or generic training data?

  2. Is every AI output checked, evidenced, and logged before it reaches a client?

  3. Could you reconstruct the full interaction history if the FCA asked for it tomorrow?

If any answer is "no," the relevant senior manager's evidence of reasonable steps is weaker than it needs to be. The cost of closing that gap is a fraction of the cost of having it fail under FCA scrutiny.

What "reasonable steps" looks like in practice

The SAFE Framework™ and V.E.R.I.F.Y. Protocol™ are designed to address this gap. They are not regulator-endorsed standards. No proprietary framework is. But they are structured methodologies for documenting the kind of reasonable steps the regime points toward.

SAFE™ is a structured approach to grounding AI deployments on the firm's approved knowledge, with input controls, output validation, and documented alignment to FCA SYSC requirements, Consumer Duty outcomes under PRIN 2A, and operational resilience expectations under PS 21/3.

V.E.R.I.F.Y.™ is a six-step output validation protocol (Validate, Examine, Reference, Interrogate, Freshness, Yield) designed to produce documented audit trails for AI-assisted outputs.

Together, they aim to convert AI-generated content from undocumented exposure into evidenced process: the kind of evidence that supports a senior manager's ability to demonstrate reasonable steps under SMCR. They are tools to support compliance, not compliance themselves.

The bottom line

The FCA has not softened SMCR for the age of AI. Existing rules apply. Personal accountability remains where SMCR placed it: with the senior managers responsible for the relevant business activity, in the way set out in their Statement of Responsibilities. The fact that a recommendation came from a model is irrelevant to the rule, but highly relevant to the evidence each senior manager will need.

The firms moving fastest are reading SMCR not as a brake on AI deployment, but as the specification for how to build it defensibly. The ones moving slowest are about to discover what reasonable steps under SMCR actually requires when the regulator asks.

If your firm uses AI in any client-facing process, the SAFE Framework™ and V.E.R.I.F.Y. Protocol™ are designed to support the documentation of reasonable steps under SMCR.

References

Keep Reading