UK finance firms issue warning over cyber threat due to ‘lack of AI guardrails’

This development arises amid the Bank of England preparing to convene representatives from His Majesty’s Treasury, the Financial Conduct Authority and the National Cyber Security Centre in order to assess the risks posed by Anthropic’s Mythos model.

Lord Clement-Jones, Liberal Democrat spokesperson for science, innovation and technology in the House of Lords and co-chair of the All-Party Parliamentary Group on AI, writes in the foreword to the research report: “What is immediately missing is the translation of high-level regulatory principles into day-to-day operational practice. We cannot simply wait for the aftermath of the first major AI-fuelled financial scandal to force us into action.”

‘The Future of AI Governance and Compliance in Financial Services’ draws on interviews with 27 C-Site and senior leaders across risk, compliance and AI governance at UK and European financial institutions, as well as the outcomes of four industry round tables involving 60 additional senior practitioners.

Contributors to the final report include senior leaders from Santander, St James’s Place, Stripe, Standard Chartered, the Lloyds Banking Group, Monzo, Allica Bank, Commerzbank, Revolut and Ecommpay alongside John Glen MP, Member of the Treasury Committee.

Shift in AI systems 

The findings highlight a shift in the AI systems being adopted by UK financial institutions, moving from tools that produced predictable outputs to generative and agentic systems producing context-dependent outputs that cannot be fully validated in advance, thereby changing the requirements of governance.

That shift is creating a widening oversight gap. Business and technology teams are deploying AI at a much faster pace than the risk and compliance functions responsible for overseeing them, with several institutions unable to identify all of the AI tools in use across their own organisations.

Criminal organisations are already exploiting that gap: global fraud losses hit £426 billion in 2025, with 90% of financial professionals reporting an increase in AI-enabled attacks.

Ritesh Singhania, CEO of Zango, stated: “Compliance teams are trying to keep pace with AI systems their own colleagues have deployed and with criminal networks scaling faster than anyone’s defences. Weak governance doesn’t just create individual risk. It also creates systemic vulnerability across the entire sector. What’s missing is a shared implementation standard that affords firms a consistent basis for governing AI as they adopt it.”

Leaders have cited a lack of operational guidance as a significant gap in the UK compared to the US. In February, the US published a practical Financial Services AI Risk Management Framework developed by a Treasury-led public-private collaboration involving 108 financial institutions (with input from agencies including NIST). The Monetary Authority of Singapore, the Singapore regulator, published an equivalent in March. As yet, no comparable standard exists in the UK or the European Union.

Without shared operational guidance, firms are solving the same governance problems independently. This leads to inconsistent control standards and creates oversight gaps that can be exploited at scale: a dynamic that sits at the heart of the AI-enabled risks regulators are now urgently examining.

Making judgements

Dean Nash, adviser to Zango and global chief operating officer (Legal) at Santander, said: “The kinds of AI systems now being adopted across financial services don’t behave in the way those systems around which we built our governance frameworks have behaved. They make judgements, produce different outputs in different contexts and cannot be fully tested in advance. This poses a significant accountability problem. Right now, most firms are trying to solve it alone without a shared standard for reference.”

The Zango report calls for practitioner-built, sector-specific implementation guidance developed with regulator engagement and modelled on the precedent set by the Joint Money Laundering Steering Group, the industry-developed standard for financial crime compliance that carries Government endorsement without being mandated by regulators. No equivalent exists for AI.