Header image

The Mills Review: AI and the future of retail financial services

The FCA Board asked Sheldon Mills to conduct a review into how advances in AI could transform retail financial services by 2030 and beyond. The Mills Review was published on 6 July 2026 here.

Mills predicts that four systemic shifts will reshape financial services into 2030.

  1. AI will transform firms, developing use cases involving greater autonomy. By 2030, many could have moved significantly further along the autonomy spectrum, embedding AI into almost every function from customer support and underwriting to compliance, claims and product design.
  2. Consumer journeys will become AI agent-led. AI will reshape consumer financial journeys, with people increasingly delegating to AI applications that act on their behalf. AI systems will move beyond offering information and recommendations towards trusted AI agents that can act continuously for consumers within agreed limits, providing ongoing financial management and optimising people’s financial lives.
  3. AI will reshape market power and competition. AI has the potential to drive greater beneficial competition in financial services, it could lower barriers to entry, enable new distribution channels and allow digital native firms to scale rapidly. 
  4. Threats and defences will both accelerate. The same capabilities that promise to help consumers will also serve those who seek to target and defraud them. By 2030, AI is likely to amplify fraud and cyber risks, making attacks faster, cheaper, more scalable and more persuasive.

In this article, we focus upon Systemic shift 4: Amplified financial crime and cyber risk.

In terms of key findings, the Review concludes that AI will amplify fraud and cyber risks by 2030, becoming faster, cheaper, more scalable and more persuasive.
  

The main pressure will be speed and scale, with faster exploitation of existing weaknesses, whether by means of customer deception or weak cyber controls

AI is more likely to accelerate existing fraud typologies than create a wholly new category of crime. Better tools, industrialised criminal infrastructure and cross-border ecosystems will allow tactics to be deployed, tested and refined at scale.
  

Risks will cut across firms, platforms, telecoms, payment rails, identity systems and AI/technology providers and across jurisdictions

Even where individual firms strengthen controls, harm may move through the links between banks, fintechs, telecoms providers, online platforms, identity systems and payment rails. Criminals may be able to shift across these channels faster than institutions and authorities can coordinate. Capability therefore needs to evolve at system level, across firms, sectors and public authorities, particularly where no single organisation has the visibility, data or operational reach to act alone.
   

AI is dual use; it will strengthen detection and resilience, but it needs governance and oversight

AI models are already enhancing real time monitoring and pattern recognition in fraud defence. AI-enabled systems could further help firms and regulators identify weak signals and connect patterns across data sources earlier including signals that span jurisdictions and sit across multiple regulatory or geographic boundaries. However, AI capability can cut both ways: poorly governed AI may create false assurance or amplify risk, while well-governed AI could strengthen earlier detection, triage and disruption.
 

Capability must evolve at system level, across intelligence-led prevention, coordination, disruption, cyber fundamentals and clear escalation routes

Capability therefore needs to evolve across firms, sectors and public authorities. This could include pooled specialist resources, shared analytics and more collective approaches to disruption, with criminals treated as the common adversary. Sharing data, stronger identity attributes and risk indicators could improve detection and reduce the risk that false legitimacy builds over time. However, these depend on trusted governance, interoperable standards and confidence that data is used lawfully and proportionately.
  

Cybersecurity

Increasing AI capability has deep implications for cybersecurity. The Review refers to testing of Anthropic’s latest frontier model, which shows it “can exploit systems with weak security posture, and it is likely that more models with these capabilities will be developed.” Frontier AI is a step change in AI capabilities, with significant implications for cyber security and operational resilience. Firms that have under-invested in fundamental cyber security are likely to become progressively more exposed.

The FCA, Bank of England and Treasury separately issued a joint statement on frontier AI models and cyber resilience on 15 May 2026 here. It warned that it is essential that firms have effective protective, detective, threat containment and cyber response capabilities including to address faster and more disruptive frontier AI-driven attacks.
  

Implications for the rest of the Mills Review

Most organisations will need to build and maintain the strong cyber security foundations that will enable them to protect themselves against AI-enabled attacks. Coordination and collaboration on emerging threats within cyber risk will grow in significance as the threat from AI continues to escalate. The OECD suggests that the shift in cyber risk is moving to the level of financial stability concerns. These shifts create pressure on how the UK's regulatory framework is applied in practice. The framework's principles remain sound, but its application becomes more complex as AI moves from assistive roles toward autonomous operation.
  

Our view

AI seems set to revolutionise the way in which regulated firms deliver consumer financial services and products. This report highlights many of the potential benefits, but is also right in warning of the considerable risks that AI poses, and in particular the risks surrounding the use of frontier AI for the purposes of cyber-crime. The OECD paper here chillingly states :-

“…cyber risk can become systemic under certain circumstances: it can spread through common third‑party dependencies, concentrated critical services, and tightly connected financial and operational networks; it can interact with market stress and confidence effects; and, in severe cases, it can spill over between the financial sector and the real economy”.

These risks are not 2030 risks. With the speed of development of AI technology, and in particularly frontier AI, regulated firms should be heeding these warnings now, and building defences against these risks, failing which the consequences for those firms and their clients may be catastrophic. They will involve time and not inconsiderable cost, but the price of failure could be many times higher.

Share Article

Related Expertise

Contributors