In brief
On 15 May 2026, the Financial Conduct Authority (FCA), the Bank of England and HM Treasury published a joint statement on frontier AI and cyber resilience. Although the statement does not introduce new regulatory requirements, it sends a clear supervisory signal as to how the FCA expects firms to interpret and apply existing rules in the context of frontier AI, including in relation to governance and operational resilience controls.
In more detail
What is Frontier AI?
Frontier AI refers to the most advanced general-purpose AI systems at the cutting edge of current capability. The FCA notes that current frontier models may already exceed the capabilities of skilled human practitioners in terms of speed, scale, and cost.
However, frontier AI also presents emerging risks, and the FCA expects firms to have appropriate systems and controls in place. The FCA notes that, when used maliciously, frontier AI amplifies threats to key areas of its supervisory objectives, including firms’ safety and soundness, customers, market integrity, and financial stability. The FCA expects these risks to increase as more advanced models are developed.
Although the statement does not introduce new rules, its guidance should be read against the FCA’s existing regulatory framework, including Senior Management Arrangements, Systems and Controls (SYSC) requirements relating to governance and operational resilience, as well as the Principles for Businesses relevant to risk management, and systems and controls.
What should firms do?
We consider that the statement treats frontier AI not merely as a technology issue, but as a risk factor with implications for prudential, conduct and market integrity outcomes. The FCA is particularly concerned that as frontier AI develops, firms that have underinvested in core cyber security fundamentals are likely to become progressively more exposed. In our view, this means firms should expect their internal controls to be judged in light of increasingly serious and fast-changing threats.
The FCA is explicit that firms are expected to take action to plan for and mitigate the risks posed by frontier AI across various sectors, including:
- Governance and Strategy: Boards and senior management are expected to have a sufficient understanding of frontier AI risks to enable effective oversight and strategic decision-making, and to exercise proper control and risk management. The FCA is clear that investment and resourcing decisions should reflect new and developing risks, including the greater vulnerability that can arise when firms rely on outdated systems or risks arising from vendor support. In practice, this means that boards should ideally have proper oversight, or at least receive management information, of such risks to ensure these factors are considered during strategic decision making. Firms should also consider whether they have appropriate insurance in place.
- Identification and Risk Management Vulnerabilities: The FCA notes that frontier AI can rapidly identify and enable exploitation of a potentially large number of vulnerabilities across firms’ technology estates. While the FCA does not detail how such risks may arise, based on a broader reading of the statement we expect that the FCA may be particularly concerned about the risk of cyber-attacks as well as the risk of AI acting in an unforeseen manner that could create new or even exacerbate existing vulnerabilities. Firms should ensure that vulnerabilities are identified, assessed, triaged and remediated, including where appropriate through automation, while also managing the risks created by such automation.
- Third-Party Risk: Firms will need to manage AI-related cyber risks arising from third parties and supply-chain dependencies. This includes being able to identify, monitor and manage external applications, libraries, and services.
- Protection: Firms should have effective access management, network security, and data protection measures in place to mitigate these risks. Firms should also consider adopting automated and AI-enabled defensive tools capable of operating at speeds comparable to AI-enabled attacks. One element which remains unclear from the statement is whether this expectation applies to firms utilising frontier AI, or whether the FCA expects all financial services firms to consider utilising AI and automated defences. Cybersecurity and operational resilience remain key areas of FCA regulatory and supervisory focus. Therefore, our recommendation is that firms consider and document the rationale as to whether AI and automated defences are to be used or not, considering the specific SYSC requirements that apply to the relevant firm in question.
- Response and Recovery: Firms should be able to respond to, and recover quickly from, disruption, consistent with their broader operational resilience obligations, particularly considering the regulator’s previous statement on effective practices regarding cyber resilience.
As we see it, the key supervisory takeaway is that firms should expect the adequacy of their systems and controls to be assessed against a more demanding threat environment shaped by frontier AI.
Next steps
Firms should not dismiss this statement on the basis that it introduces no new formal requirements. The FCA’s message is clear that frontier AI is an emerging risk factor and that such risks are likely to increase. Firms should therefore review their operational resilience, governance, cyber security, and AI risk management frameworks, and address any gaps or vulnerabilities promptly, particularly in the areas outlined above.
Firms should also particularly consider this statement as part of their third-party vendor management. Firms should carefully consider AI procurement processes and the terms of service that they have in place with AI providers. Firms should ensure that such processes and terms focus appropriately on operational service levels, cyber risks and business continuity, particularly due to the growing interdependencies between the financial services and ICT sectors.
Furthermore, firms should also continue to monitor EU developments on AI regulation, such as ESMA’s recent paper on Algorithmic Trading. This confirms that when an algorithmic trading system meets the definition of an AI system it will need to comply with the requirements in the EU’s AI Act, and governance arrangements will need to integrate AI Act obligations.