UK Financial Regulator Says AI is Moving Faster Than Law—And Is Rethinking Regulation From Scratch

The United Kingdom’s most powerful financial regulator publicly conceded this week that traditional rule-making is fundamentally incompatible with the pace of AI development—and announced it is rebuilding its regulatory philosophy from the ground up.

In a major speech delivered on June 24 at the “Agents of Change: Generative and Agentic AI in Financial Services 2026” conference, Financial Conduct Authority Chief Executive Nikhil Rathi delivered what may be the most candid assessment of AI’s challenge to regulation yet heard from a sitting regulator at a major economy’s apex financial watchdog. “Technology is moving much faster than many regulatory paradigms,” Rathi told the room. “Legislation will never keep up.”

The statement was not a complaint. It was a strategic declaration: the FCA has concluded that the traditional model of writing detailed rules and waiting for firms to comply cannot govern a technology that rewrites industry practices faster than parliamentary cycles. And it has a plan to replace it.

The Scale of AI Adoption in Finance

The urgency behind Rathi’s speech reflects the scale of what has already happened. More than 80% of financial services firms under FCA supervision have already adopted AI—not in pilots or proof-of-concept programs, but in live production deployments that are actively shaping credit decisions, fraud detection, trading strategies, and customer interactions.

That statistic, buried in the middle of the speech, is the regulatory crisis in a single number. The FCA governs a sector in which AI is no longer a future concern to be managed through forward-looking rule-writing—it is a present reality across the vast majority of regulated entities. The agency is, in effect, trying to write rules for a game that has already been playing for years.

The pressure is compounding. Frontier AI is now enabling attackers to identify vulnerabilities and spread threats faster than human analysts can respond. UK payment fraud losses reached £1.3 billion, with two-thirds of cases linked to exploitation via social media—platforms where AI-generated content and synthetic identities increasingly provide the attack surface. And agentic AI systems—capable of executing multi-step financial transactions autonomously—are beginning to appear in live markets, raising questions about accountability and market integrity that existing frameworks were never designed to answer.

A Philosophical Shift: From Rules to Stewardship

Rathi’s central argument is that the FCA must move from prescriptive rule-writing to what he called “stewardship” and “supervision”—a fundamentally different posture in which regulators continuously monitor how AI is being used, intervene dynamically when practices drift outside acceptable boundaries, and maintain ongoing dialogue with firms rather than issuing static rulebooks and waiting for compliance reports.

“In some areas, we will still need detailed rules,” Rathi acknowledged. “But in others, traditional rule-making simply won’t work anymore.”

The distinction matters. Prescriptive rules assume regulators know in advance what AI systems will do and can specify acceptable behavior in writing. Stewardship assumes that AI capabilities will evolve faster than any rulebook, and that the regulator’s primary tool must be ongoing observation, dialogue, and the ability to intervene based on outcomes rather than procedures.

The FCA is also studying how 750 firms currently govern their AI deployments—a systematic examination of what good and poor practice looks like in the wild, rather than in theory. That intelligence will inform a publication the agency plans to release later this year documenting what it has found.

The Supercharged Sandbox

The most concrete innovation in Rathi’s speech was the announcement of what the FCA is calling a “Supercharged Sandbox”—a regulatory environment in which firms will be permitted to test AI-powered solutions using real-world transaction data in partnership with technology providers including Nvidia and Google.

Traditional regulatory sandboxes allow firms to test new products in limited, controlled environments before they apply for full regulatory approval. The FCA’s innovation is to supercharge this concept by bringing in frontier AI infrastructure providers as active participants, enabling tests at scales and with datasets that would be impossible in isolated sandbox environments.

The Supercharged Sandbox is designed to address a persistent problem in AI regulation: the gap between the controlled conditions of a compliance test and the messy reality of live deployment. By running real-world data through real AI systems during the regulatory process itself—with Nvidia GPU infrastructure and Google AI tooling available as shared resources—the FCA hopes to expose failure modes that no rulebook could anticipate.

An AI Lab, an Agentic Academy, and a Bank of England Partnership

Beyond the Supercharged Sandbox, Rathi outlined three additional institutional innovations. An “AI Lab” focused specifically on payments and e-commerce will allow firms to experiment with autonomous financial transaction capabilities in a supervised environment before live deployment. An “Agentic Academy” will serve as an educational and testing hub for firms seeking to understand how to deploy AI agents safely within regulated financial services.

Most significantly, the FCA announced it is establishing an “AI Consortium”—a collaborative platform built jointly with the Bank of England that will bring together financial firms and technology providers to develop shared standards, share threat intelligence, and collectively address systemic risks that no single institution can manage alone. The inclusion of the Bank of England signals that the FCA and the UK’s central bank are aligning their AI governance approaches—a coordination that will be essential as agentic AI begins to affect not just individual firm operations but financial system stability.

The Regulator Deploys AI Against Itself

Perhaps the most provocative element of Rathi’s speech was not what the FCA plans to require of regulated firms—it was what the FCA plans to do with AI itself.

The agency announced it is exploring the deployment of agentic AI systems as “first responders” in wholesale market surveillance, capable of processing what Rathi described as “a billion rows of data per day” to identify patterns of market abuse in near real-time. Human analysts would remain responsible for interpretation and enforcement action, but the initial detection layer would be automated and AI-driven.

This is a significant operational commitment. The FCA is not just regulating AI; it is becoming an AI-powered institution. And by doing so, it is implicitly acknowledging a symmetry that more cautious regulators have been reluctant to state directly: if financial firms are deploying AI at speeds that human oversight cannot track, the only viable response is to deploy AI oversight at comparable speeds.

The Mills Review, a forthcoming analysis of how AI is reshaping retail financial services, will be published in the coming weeks and is expected to provide the evidential foundation for further FCA policy announcements.

What This Means for the Global AI Governance Picture

Rathi’s speech lands at a moment of genuine international divergence in AI governance approaches. The European Union has bet heavily on prescriptive regulation through the EU AI Act, which categorizes AI systems by risk level and imposes specific requirements on high-risk applications. The United States has, under the current administration, moved away from mandatory compliance frameworks toward voluntary guidelines and targeted enforcement. And now the UK, post-Brexit, is charting a distinctly pragmatic third path: maintaining principles-based oversight while fundamentally rethinking how oversight is conducted.

The FCA’s approach has the advantage of flexibility. A Supercharged Sandbox can evolve as technology evolves. An AI Consortium can respond to threats as they emerge. A regulator that deploys its own AI surveillance tools can monitor at the pace of the market rather than the pace of parliamentary review.

The risk is accountability. Rules that can be read, published, and challenged provide transparency that continuous supervisory relationships do not. Firms operating under stewardship-based oversight may find it harder to know in advance whether a particular AI deployment will attract regulatory scrutiny—a uncertainty that could chill innovation as easily as it promotes it.

The FCA is betting that the alternative—trying to write rules fast enough to keep pace with AI—is already a losing proposition. On that point, at least, Nikhil Rathi was refreshingly direct: “Legislation will never keep up.”