May 2026 has brought a flurry of AI-related activity from the UK’s financial regulators. On 14 May, the Financial Conduct Authority (FCA) reopened its AI Input Zone to collect stakeholder views on good and poor practice in AI use cases in financial services. The following day, the Bank of England, FCA and HM Treasury published a joint statement on frontier AI models and cyber resilience. Taken together, the two developments offer a useful window into regulators’ thinking on AI.
The AI Input Zone: Shaping what ‘good’ looks like
The AI Input Zone was launched in November 2024 as the feedback platform component of the FCA’s AI Lab. Its reopening signals that the FCA is now actively building its evidence base ahead of a dedicated good and poor practice publication on AI, expected later in 2026.
The FCA is asking for specific examples and views on what allows firms to develop and deploy AI use cases safely and responsibly; what is stopping firms from developing and deploying AI; and what themes and topics the FCA should address in its good and poor practice publication.
The deadline for responses is 19 June 2026.
The joint statement: Frontier AI as a cyber threat
On 15 May, the Bank of England, FCA and HM Treasury published a joint statement on frontier AI models and cyber resilience. The statement was directed at all regulated firms and financial market infrastructures (FMIs) and, although it does not introduce new requirements, serves as a timely reminder of existing obligations and regulatory expectations.
The statement highlights that firms need effective protective, detective, threat containment and cyber response capabilities. In line with operational resilience rules and expectations, regulated firms and FMIs need to take action to plan for and mitigate cybersecurity risks posed by frontier AI.
The statement identifies five key domains for action: governance and strategy; identification and risk management of vulnerabilities; managing risks from third parties; protection; and response and recovery.
Key takeaways
These developments give a clear message that UK regulators are thinking seriously about responsible deployment of AI and the associated advantages and risks. In practice, this means:
- Firms should consider responding to the AI Input Zone consultation: The FCA’s good and poor practice publication will matter. Firms – particularly those in fintech, payments and consumer-facing financial services where AI deployment is most active – should consider submitting views before the 19 June deadline. This is a chance to shape expectations before they are set.
- Board-level ownership of AI cyber risk is important: The joint statement is explicit that boards and senior management should have sufficient understanding of frontier AI risks to set strategic direction.
- Third-party and supply chain risk is squarely in scope of regulatory consideration: Firms should effectively manage frontier AI cyber risks from third parties and supply chains, including open-source software – particularly relevant for fintechs and technology-led firms where third-party and open-source dependencies are common.
- There are no new rules yet: But the direction of travel is clear. Both publications reinforce existing expectations rather than introducing new ones. The FCA’s evidence-gathering process is, however, a likely precursor to more formal guidance or rules down the line.
We will continue to monitor the UK regulators’ AI roadmap and are happy to advise on AI governance frameworks, operational resilience obligations and engagement with the regulators.