FCA SYSC
FCA SYSC 4 + Consumer Duty (PRIN 12 / GC23/2)
UK FCA Handbook on senior-management arrangements + Consumer Duty's good-outcomes obligation now binds AI-driven decisions for retail customers.
Who does it apply to?
- All FCA-authorised firms — banks, insurers, investment firms, asset managers, payment institutions, e-money firms, consumer credit firms.
- Any FCA-regulated firm running an agentic AI workflow that affects retail customer outcomes — credit decisioning, claims handling, financial-promotions content, customer-service automation.
- SMF holders specifically — the Senior Managers regime makes individual SMF-26 (responsible for the firm's AI strategy) and SMF-24 (CIO/CTO with operational AI oversight) personally accountable.
Two-minute explainer
The FCA SYSC (Systems and Controls) chapters of the FCA Handbook, plus the Consumer Duty obligation introduced via PRIN 12, are the principal runtime obligations for UK FCA-regulated firms running AI agents. Three pieces matter:
SYSC 4.1 — effective systems and controls. The general obligation that a firm must have “robust governance arrangements, which include a clear organisational structure with well-defined, transparent and consistent lines of responsibility.” For agentic AI, this resolves to deterministic policy gates at every tool call. Best-effort prompt-engineering doesn’t satisfy SYSC 4 because it doesn’t produce evidence of “effective” enforcement.
SYSC 4.1.7 — appropriate to the nature, scale and complexity. Bigger firms with bigger AI agents have proportionately higher systems-and-controls expectations. A tier-3 model making credit decisions has different control expectations than a tier-1 model generating internal summaries.
Consumer Duty (PRIN 12, effective 31 July 2023). The Duty introduces a higher standard of customer protection across four outcomes: products and services, price and value, consumer understanding, consumer support. The Duty is cross-cutting: any firm interaction with a retail customer is in scope. Plus three cross-cutting rules: act in good faith, avoid foreseeable harm, enable customers to pursue financial objectives.
GC23/2 (December 2023) — FCA AI guidance. Updated guidance making the FCA’s expectations on AI explicit:
- Senior-management accountability for AI deployments (Principal 6).
- Outcomes monitoring on a cross-cutting basis (Principal 12.1–12.4).
- Vulnerable-customer handling for AI-driven decisions.
- Transparency to customers about AI involvement.
- Model-risk management (cross-references PRA SS1/23 for dual- regulated firms).
The Regulus fca-sysc profile encodes the runtime-facing pieces.
Every customer-affecting event lands in the audit chain with the
four-outcomes classification, the consumer-segment, and the deciding
SMF claim. The Consumer Duty board pack — the quarterly artefact the
FCA expects firms to produce — is generated from the audit chain.
For firms dual-regulated by PRA (most UK banks and insurers), the
fca-sysc profile composes naturally with pra-ss1-23 (model-risk
management) and pra-ss2-21 (outsourcing). The model-risk plugin
serves both: SS1/23 tiering is the model-risk side, SYSC SMF
accountability is the conduct-risk side.
What the profile doesn’t cover: the firm’s threshold-conditions assessment, the SMR registration process, the FCA authorisation status itself, the conduct-rules training cycle. These are governance and HR processes. The runtime side — what the agent actually does at every tool dispatch, and what evidence lands on the audit chain — is what Regulus delivers.
What it actually requires of an engineer
- SYSC 4.1 requires effective systems and controls. For agentic AI, that means deterministic policy gates at runtime — not best-effort prompts.
- Consumer Duty (PRIN 12) demands outcomes monitoring on a cross-cutting basis. Every AI-driven decision affecting a retail customer must be evidenced against the four outcomes: products/services, price/value, consumer understanding, consumer support.
- GC23/2 (December 2023) makes AI-specific expectations explicit. Outcomes monitoring, fair-treatment evidence, vulnerable-customer handling — all need runtime evidence, not policy documents.
- Senior-Manager accountability cascades to runtime decisions. The SMF holder's Principal claim feeds the audit chain; when a decision is later reviewed by the regulator, the SMF who approved the agent's deployment is identifiable.
- Financial promotions involving AI generation need a FinProm-aligned audit trail — when the model wrote it, who signed it off, which compliance approval applied.
What Regulus does for you
| Regulus control | Delivers |
|---|---|
RegulusPolicyPlugin | SYSC 4.1.1 effective systems — fail-closed policy decisions at every tool call. Consumer Duty cross-cutting-rule violations (PRIN 12.1–12.4) emit DENY events with the rule cited. |
RegulusAuditPlugin | Consumer Duty outcomes monitoring substrate — every customer-affecting event tagged with the four-outcomes classification (products, price, understanding, support) and the resolved consumer-segment. |
RegulusModelRiskPlugin | Tier-aware gating for retail-affecting model invocations — tier-3 models require dual-control + HITL on every invocation; the deciding Principal is captured per the SMR. |
RegulusGovernanceEvidencePlugin | FCA-formatted evidence envelopes — REP018 (Operational and Security Risk) integration template + Consumer Duty quarterly board pack export. |
RegulusIdentityExpiryGuard | SMF claim freshness — Principal credentials with the SMF claim must be refreshed within the firm's SMR-approval cadence (typically annual); expired SMF claims fail closed. |
Saves you ~12 engineer-weeks
Estimate based on the following honest assumptions:
- SYSC 4.1 controls framework integration (3 weeks).
- Consumer Duty outcomes-tagging schema + audit field design (3 weeks).
- SMF accountability chain in the audit envelope (2 weeks).
- FCA REP018 / Duty board-pack format export (2 weeks).
- Vulnerable-customer handling gating (2 weeks).
What an auditor will ask
The questions you'll see in a real walkthrough — and where to point them.
-
Show me your Consumer Duty outcomes monitoring evidence for the last quarter.
Filter the audit chain by
tags contains 'consumer-duty'for the date range. Aggregate by outcome (products, price, understanding, support) and consumer-segment. The Consumer Duty board pack (regulus duty board-pack) generates the quarterly view automatically. -
Who is the SMF responsible for this AI agent's deployment?
The agent's registration in the Model Registry includes the SMF-26/SMF-24 Principal IDs. Every tier-3 model invocation includes the deciding-SMF claim in the audit event.
-
How is vulnerable-customer handling evidenced?
Principals carry a
vulnerableclaim (minted by your customer-data IdP). The policy plugin triggers enhanced gating when present — HITL on more decisions, additional documentation requirement. Filter byprincipal.vulnerable = true. -
What's your evidence of fair treatment across consumer segments?
Outcome aggregation by consumer-segment shows distribution of ALLOW vs DENY vs HITL across segments. Material deltas surface as
FAIRNESS_DELTA_ALERTevents for the second-line review. -
How are financial promotions involving AI generation evidenced?
Tag the agent's promo-related tool calls with
finprom. Each event captures the compliance officer who signed off, the FinProm reference number, and the model invocation that drafted the content.
What this doesn't cover
- Authorisation and permissions — Regulus runs against deployed agents; FCA authorisation of the firm itself is your COO's domain.
- Threshold conditions — Regulus produces runtime evidence; threshold-conditions assessment is governance.
- Conduct rules training — the SMR conduct rules training cycle is people-process, not runtime.
- Compensation scheme handling — Regulus emits incident evidence; FSCS-related processes are handled by your operations team.
Citations
Activate this profile in your agent
regulus init my-agent --profiles=fca-sysc