This guide reflects current thinking across the FCA, ICO and wider government, but you should always consider how it fits with your own compliance framework and ways of working.
AMI believes AI is a useful tool to help augment the advice process; for example by creating time and administration efficiencies which could free up more time for advisers to spend with their clients.
Look out for the AMI Recommends!
These pop-ups contain handy hints and tips relating to each section.
AMI remains technology‑neutral. Our view is simple: AI should support your advice, not replace it. You remain responsible for the recommendations you give, and AI should enhance not undermine your professional judgement.
The contents of this guidance do not constitute legal or other professional advice. Users should seek appropriate guidance before coming to any decision or either taking or refraining from taking any action. AMI disclaims all liability for loss and/or damage that may result from its use.
The safest way to begin using AI is to start small. Build confidence by learning the basics including hallucination risks, data protection rules and the need to review AI outputs. Many firms find it helpful to try AI in their personal life first to understand how it behaves.
Once you’re comfortable, begin with low‑risk tasks such as drafting letters, summarising generic information or creating templates. These allow you to test AI without using customer data. A short pilot period will help you understand what works.
After that, introduce simple governance: a basic AI policy, staff training and a list of approved tools.
The FCA has not introduced AI‑specific rules, and instead expects firms to apply existing requirements such as Consumer Duty, SYSC and SM&CR. The regulator’s position is that the current framework is flexible enough to cover AI, provided firms maintain proper oversight, testing and governance.
The FCA is, however, looking to provide practical guidance through regulatory sandboxes, Tech Sprints and direct firm engagement (including smaller firms); it is actively observing how AI is being deployed in financial services. AMI has encouraged the FCA to share insight from initiatives such as sandboxes more widely with industry.
Firms’ use of AI must comply with a range of regulatory frameworks such as Systems & Controls (SYSC), Principles for Business 2a, 3 and 6.
AI creates new foreseeable risks. For example, if an AI tool produces inaccurate summaries that are incorporated into suitability letters, or generates biased outputs that influence product comparisons, customer harm could arise. Equally, if AI-generated communications are unclear or misleading, this could undermine informed decision-making.
Importantly, responsibility cannot be delegated to a machine. If a regulated advice firm outsources tasks to AI, and that AI contributes to an unsuitable recommendation, the firm remains accountable for ensuring that activity is carried out in line with regulatory requirements and expectations. Consumer Duty therefore increases the importance of human oversight, validation and documentation of AI outputs.
For further guidance on how these expectations link to Consumer Duty, please refer to our Consumer Duty factsheets.
To manage AI safely, treat AI‑related issues just like any other process failure with a few simple additions.
As AI becomes embedded in advice processes, firms will need to consider how their complaints, remediation and incident‑management frameworks adapt to AI‑related failures. This includes scenarios where AI tools generate incorrect information, omit key details, or introduce bias that influences customer outcomes. Click the icon for AMI Recommends.
Firms should never input identifiable customer data into consumer-grade AI tools without appropriate contractual and governance safeguards.
The UK government sees AI as a key part of its long‑term growth strategy. It has chosen not to introduce a single AI law, instead relying on existing regulators. Parliamentary committees have recommended that the FCA and others to provide clearer guidance as AI adoption grows.
Mortgage intermediary firms are at different stages of their AI journey – from firms that are not using it at all, to firms that are experimenting all the way through to firms that are implementing specific AI projects.
For inspiration, here’s some examples of how our members are using AI in their business.
XYZ Mortgages is a mortgage intermediary firm providing advice on mortgages and protection. Like many firms in the sector, it began exploring AI to improve efficiency, reduce administrative burden and create more time for advisers to focus on customers.
Please note this AMI case study is for illustrative purposes only; it is designed to help firms understand the wider considerations and ideas for firms. The content within the AMI case study should not be seen as ‘best practice’.
XYZ Mortgages is a mortgage intermediary firm providing advice on mortgages and protection. Like many firms in the sector, it began exploring AI to improve efficiency, reduce administrative burden and create more time for advisers to focus on customers.
Please note this AMI case study is for illustrative purposes only; it is designed to help firms understand the wider considerations and ideas for firms. The content within the AMI case study should not be seen as ‘best practice’.
AI introduces operational, regulatory and governance complexity. The following challenges are only some of the potential implications of AI integration that AMI feels requires structured oversight and clear accountability. We offer insight into the various challenges and outline how firms can overcome them, including some more of our AMI Recommends suggestions.
Integrating AI into your existing systems can be challenging, especially if you use multiple platforms such as your CRM, sourcing tools and compliance software.
Before adopting any AI tool, it’s important to understand how it will fit into your current setup and whether it genuinely solves a problem. Ask providers to show you how their tool works with your systems, test it with real examples and make sure it keeps clear records of what it does.
Keep governance simple by being clear about who oversees AI use and how updates or changes will be managed.
Finally, avoid tools that lock you into one provider, choose systems that allow you to export your data easily and move away if needed.
For a smooth integration and adoption of AI tools, the tips below can help...
One of the biggest risks for small firms is staff accidentally entering customer data into unsecured AI tools. This can create immediate GDPR breaches. You must only use AI tools that offer proper contractual protections, and never input identifiable customer information into free or consumer‑grade platforms. Keeping a short list of approved tools, training staff on what data can be shared and monitoring usage can significantly reduce these risks.
Keep your customers' information safe and ensure GDPR compliance by...
Even if AI automates tasks or supports decision‑making, senior managers remain fully accountable for how it is used. They must understand the basics of how AI tools operate, ensure proper checks have been carried out on providers and be able to evidence that risks were assessed before the tool was introduced. Oversight cannot be left to IT teams or external vendors. Clear accountability and simple governance are essential.
AI tools often rely on cloud services, which can increase your exposure to cyber threats. Before adopting any tool, check how data is stored, what security standards the provider meets and how access is controlled. You should also understand how the tool connects to your existing systems and whether it introduces any new vulnerabilities. Cyber security should be considered from the outset, not after the tool is already in use.
Some firms are starting to use AI tools that analyse customer information and suggest a shortlist of lenders or products. While this can save time, it also creates a risk: the AI might accidentally exclude suitable options because of how it has been trained or configured.
As a mortgage adviser, you are still responsible for ensuring the recommendation is suitable. If AI filters the market before you look at it, you could miss a product that would have been right for the customer.
AI can still be useful for research, but you must keep full visibility of the wider market and be able to challenge or override anything the system suggests. In short, AI can support your thinking, but it must never decide the recommendation for you.
You must ensure that any use of AI is well‑controlled and aligned with regulatory expectations. Interpretation risk is high, firms may take different approaches to AI governance, just as they did with Treating Customers Fairly and Consumer Duty. You should be able to demonstrate how your AI use supports good customer outcomes and avoids foreseeable harm.
Use FCA resources such as the Sandbox or AI Input Lab to help you test ideas safely.
Rapid innovation presents strategic hesitation. Firms may fear committing to a tool that becomes obsolete within months. However, waiting indefinitely risks competitive disadvantage.
To keep up with changes in technology whilst using AI in your process, you can...
To ensure your customers know exactly what they're getting when it comes to advice...
AI Disclosure to customers
While there is currently no explicit FCA rule requiring firms to state “we use AI”, disclosure cannot be viewed as optional in all circumstances. Instead, firms must assess transparency through the lens of Consumer Duty, data protection law and broader principles of trust and fair communication.
Using AI to draft letters, emails or reports does not normally require disclosure. What matters is that communications are accurate, clear and professionally reviewed.
If using chatbots or automated tools, customers must know they are interacting with a machine. Explain that the tool provides general information only, does not assess personal circumstances, and does not replace regulated advice.
Disclosure should be guided by the level of risk:
A robust governance framework is essential regardless of firm size.
An AI policy should clearly define approved tools, prohibited uses, data handling rules, and escalation procedures.
Pre-adoption risk assessments should evaluate data processing implications, customer impact, operational dependency and contractual safeguards. Documentation of this assessment is important for demonstrating regulatory compliance.
Staff must understand that AI outputs are drafts requiring professional review. No AI-generated content should be sent to customers or incorporated into suitability documentation without appropriate review.
Regular monitoring and review processes should evaluate performance, consumer outcomes and emerging regulatory guidance.
You can download a template of a simple AI policy to use in your firm. The italicised text provides examples of areas you may wish to consider, with space included for you to amend or add to the content as needed.
Purpose & scope
Definitions
(AI, generative AI, automated decision-making)
Approved tools register
Prohibited use cases
Data classification rules
DPIA trigger criteria
Human oversight requirements
Incident reporting process
Record-keeping requirements
Review frequency
|
Risk level
|
Example use case
|
Regulatory Risk
|
Required controls
|
|---|---|---|---|
|
Low |
Drafting internal meeting notes |
Minimal |
Policy coverage & staff training |
|
Medium |
Drafting customer communications |
Consumer understanding risk |
Human review & audit trail |
|
High |
Influencing suitability reports or product comparisons |
Direct consumer outcome impact |
DPIA & formal validation & documented oversight |
There’s a wide range of additional content and resources available. As well as exploring support from mortgage clubs and compliance providers, you may also want to take a look at:
Financial Conduct Authority – AI in financial services
ICO – Guidance on AI and data protection
ICO – AI and data protection toolkit
The Government – Whitepaper on the Pro-innovation approach to AI regulation
Treasury Committee report on AI in Financial Services
National Cyber Security Centre – AI and cyber security: what you need to know
The Alan Turing Institute: Why we need a global approach to the governance of AI
A shared glossary helps ensure everyone in the firm uses AI‑related terminology consistently. It supports a common baseline of understanding, reduces misinterpretation, and helps staff communicate clearly with customers, regulators and each other. To support this, we’ve created a glossary of key AI terminology that can be used within your business, whether for training purposes or to support the implementation of an AI policy.
Technology that enables computer systems to perform tasks that typically require human intelligence, such as analysing information, recognising patterns or generating text.
A theoretical model where AI systems generate recommendations or decisions with limited or no human involvement. In regulated mortgage advice, firms remain responsible for the advice outcome regardless of the technology used.
A model where AI tools support advisers by assisting with research, drafting documents or administrative tasks, while the adviser retains responsibility for analysis, professional judgement and the final advice provided to the customer.
AI systems capable of acting autonomously to complete tasks or initiate actions (such as sending communications, triggering workflows or performing automated processes) without direct human prompting.
AI systems that operate within a controlled environment, using restricted data sources and limited external connectivity. They offer greater privacy, security and predictability.
A structured risk assessment required under UK GDPR when processing activities are likely to result in a high risk to individuals’ rights or freedoms.
AI models that create new content, such as text, images, or audio based on patterns learned from large datasets. Examples include tools that draft emails, summarise documents or generate website copy.
A phenomenon where an AI system generates information that appears credible but is incorrect, fabricated or unsupported by reliable data.
A type of AI model trained on vast amounts of text data that can generate human-like written responses, summaries or analysis.
AI systems that draw on broad, publicly available data sources and can interact more flexibly with external information. They offer wider capability but come with increased variability and risk.
© 2026 Association of Mortgage Intermediaries Limited.
AMI is the trading name of The Association of Mortgage Intermediaries Limited which is a company limited by guarantee, registered in England and Wales under the Companies Acts with number 7982341. Our registered address is Celixir House, Stratford Business & Technology Park, Innovation Way, Banbury Road, Stratford-upon-Avon, Warwickshire, CV37 7GZ.
