Back to Resources

Board Attestation for AI in Regulated Products: The New CFO Line

FCA & Regulatory

Share
Executive summary: FCA-authorised firms using AI in customer-facing products now sit at the intersection of three obligations that produce a de facto board attestation requirement: Consumer Duty outcomes evidence (annual), Senior Managers & Certification Regime accountability (continuous), and the PRA's model risk management expectations for banks (SS 1/23). This piece walks through what boards are being asked to attest, which named senior manager owns each element, and what the CFO material for the attestation looks like in practice.

Why This Landed on the Board Agenda

None of the three underlying frameworks is new. Consumer Duty came into force in July 2023. SM&CR has been the standard accountability regime for banks since 2016 and for solo-regulated firms since 2019. The PRA's SS 1/23 on model risk management for banks was published in 2023 and became effective in 2024.

What is new is the interaction of these three regimes with the material use of AI in customer-facing product. Two years ago, most authorised firms could reasonably describe their use of AI as marginal — internal productivity tools, marketing tests, back-office optimisation. In 2026, the use is often material: algorithmic decisions in underwriting, AI-driven customer support that touches Consumer Duty outcomes, model-based fraud detection that affects customer treatment. When AI use crosses that materiality threshold, the board attestation obligation becomes concrete.

The Three Underlying Obligations

Consumer Duty (FCA PS22/9)

Consumer Duty requires FCA-authorised firms to act to deliver good outcomes for retail customers across four outcomes: products and services, price and value, consumer understanding, consumer support. The annual board report — due 31 July for firms on the standard cycle — must demonstrate that the board has monitored and satisfied itself on those outcomes.

Where AI touches customer outcomes (decisions on eligibility, pricing, support routing, communication), the board report must specifically address how the board has assured itself that the AI-touched processes deliver the outcomes. Generic statements of principle are not sufficient; the FCA has been consistent on this — see our earlier piece on the Consumer Duty year-two assessment.

Senior Managers & Certification Regime

SM&CR allocates specific senior management functions (SMFs) with individual accountability. For AI use in a regulated firm, the relevant SMFs are typically SMF3 (Chief Executive), SMF17 (Money Laundering Reporting Officer, where AI touches AML), SMF2 (Chief Finance) where AI affects financial reporting, and SMF16 (Compliance Oversight) where AI touches regulated conduct.

Each SMF is required to take reasonable steps to ensure the areas within their responsibility are managed appropriately. For AI-touched activities, this now means named accountability for the AI oversight framework itself — not delegable to "the engineering team" or "the CTO".

PRA SS 1/23 (Model Risk Management)

SS 1/23 applies to banks. It sets out five principles for model risk management: identification and classification, governance, development and validation, deployment and use, and independent validation and review. AI models used in credit decisions, fraud, or regulatory reporting fall within the SS 1/23 model definition. The framework requires board oversight of model risk on a continuous basis.

For non-bank fintechs, SS 1/23 does not directly apply — but the framework is now the reference point for how the FCA discusses AI governance with authorised firms, and elements of it appear in supervisory conversations regardless of banking status.

Consumer Duty board report
Annual31 July for firms on standard cycle
SM&CR accountability
ContinuousNamed SMFs individually accountable
SS 1/23 model risk (banks)
Effective 2024Five principles, continuous board oversight
Interaction point
Board attestation when AI material in customer product

What the Board Is Actually Being Asked to Attest

The de facto board attestation, drawn from the intersection of the three frameworks, covers four specific propositions.

  1. The board understands the material AI use. There is a documented inventory of AI applications, classified by autonomy tier and by proximity to customer outcomes. The board has been briefed on this inventory and understands what each application does.
  2. Named senior managers are accountable for each material AI application. The relevant SMF for each application is documented and has explicitly accepted the accountability. This is not a delegation to the engineering team; it is a named individual at the SMF level.
  3. The oversight framework is proportionate and evidenced. For each material AI application, there is a documented control framework (spend caps, monitoring, incident response, model validation as appropriate) and evidence that the framework has been operating over the reporting period.
  4. Consumer outcomes are being monitored where AI touches customers. The Consumer Duty annual report can point to specific AI-touched processes and demonstrate outcomes monitoring for each. This connects to the four outcomes framework directly.

"The board is being asked to say, in effect: we know what AI we are using, we know who is accountable for each of it, we have controls that are actually operating, and we can point to consumer outcomes evidence. Any one of those four propositions failing an examination puts the annual attestation at risk — which puts the SMFs at risk.

The CFO Material for the Attestation

Even where the Consumer Duty officer and compliance function own the substantive attestation drafting, three specific pieces of the underlying evidence base are CFO-owned.

The AI Application Inventory with Cost Basis

The finance team owns cost allocation. The AI inventory needs to include a cost basis per application — headcount attributed to development, infrastructure cost (inference, training compute), third-party vendor spend. This gives the board a materiality lens on which applications warrant which level of oversight. It also feeds into the software capitalisation policy discussed in our earlier piece.

The Model Risk Spend Envelope

For AI applications that autonomously execute financial actions (refunds, adjustments, credit decisions), the spend envelope is a CFO deliverable. Per-transaction, daily aggregate, and monthly caps as described in our AI Agent Governance piece. The attestation needs to be able to say the envelope was set with reference to materiality and was monitored.

The Incident Log with Financial Impact

Every AI-related incident during the reporting period should be logged with the financial impact quantified. Refunds issued, corrections made, customer harm compensated. This is the substantive evidence that the control framework has been tested and that governance has responded to failures. Without a financial-impact log, the "framework is operating" claim is unsupported.

The point where CFO becomes personally exposed: Where AI use materially affects financial reporting — for example, an AI-driven credit-loss estimate flowing into IFRS 9 provisions, or an AI-driven revenue recognition determination — the CFO (SMF2 where the firm has one) is directly accountable under SM&CR for the accuracy and adequacy of the model risk framework applied to that use. The attestation is not just a board document; it is a personal accountability point.

Preparing the Attestation for 2026

The attestation is typically bundled into the Consumer Duty annual report but can also stand alone as a specific board resolution. Either way, the preparation window is the same as the Consumer Duty year-two sprint described in our earlier piece — sixty days from mid-May to the end-July deadline for firms on the standard cycle.

The specific CFO checkpoint items in that window:

  • Week 1-2: AI application inventory refresh with cost basis update.
  • Week 3-4: Named SMF confirmation letters — each relevant SMF explicitly accepts accountability for the applications within their scope.
  • Week 5-6: Control framework operation evidence — spend cap monitoring reports, incident log, escalations that were reviewed.
  • Week 7-8: Consumer outcomes evidence for AI-touched processes.
  • Week 9-10: Draft attestation language reviewed by external compliance adviser or in-house second line.
  • Week 11-12: Chair review, board resolution, attestation signed.
The forward benefit: A well-drafted board attestation that specifies named accountability, evidenced controls and outcome monitoring becomes a foundational document that supports future FCA supervisory conversations, D&O renewal (see our earlier piece), and Series B diligence. It is not a one-off compliance item; it is a governance artefact that continues to earn value across multiple stakeholder relationships.

Key Takeaways

  • The interaction of Consumer Duty, SM&CR and PRA SS 1/23 (for banks) is producing a de facto board attestation obligation for FCA-authorised firms using AI materially in customer-facing product.
  • The board is being asked to attest to four propositions: it understands the material AI use, named SMFs are accountable for each application, the oversight framework is proportionate and evidenced, and Consumer Duty outcomes are being monitored for AI-touched processes.
  • The CFO owns three specific pieces of the underlying evidence: the AI application inventory with cost basis, the model risk spend envelope, and the incident log with financial impact.
  • Where AI use affects financial reporting, the CFO (as SMF2) is directly and personally accountable under SM&CR for the model risk framework applied to that use.
  • The attestation preparation window is the same sixty-day sprint as the Consumer Duty year-two board report — mid-May to end-July for firms on the standard cycle.
  • A well-drafted attestation supports future supervisory conversations, D&O renewals and Series B diligence. It is a foundational governance artefact, not a one-off compliance item.

Work Together

Need this applied to
your business?

Board attestation drafting, AI application inventory, and model risk framework design for FCA-authorised firms. We bring CFO-level rigour without the full-time cost.

Book a Free Discovery Call →