The FCA has published the Mills Review, an independent review led by Sheldon Mills examining how advances in AI could transform UK retail financial services by 2030. Among its four “system shifts,” the review identifies amplified financial crime and cyber risk as a defining challenge, one with direct implications for how firms design and evidence their financial crime frameworks over the coming years.
Why Financial Crime Featured So Heavily
The review draws on 140 written submissions and extensive engagement across financial services, technology, academia and regulation. It concludes that the same AI capabilities transforming legitimate financial services are equally available to those seeking to exploit them. As AI becomes more capable and more widely adopted, both the scale of criminal opportunity and the tools available to counter it are set to grow in parallel.
Key Findings on Financial Crime and Cyber Risk
The review’s fourth system shift centres on the idea that threats and defences will accelerate together. By 2030, AI is expected to make fraud and cyber-attacks faster, cheaper, more scalable and more persuasive, while simultaneously making them harder to detect and stop. Deepfakes, synthetic identities and highly personalised social engineering are identified as key drivers of this shift, fundamentally changing how fraud and cyber-attacks are conducted and exploiting weaknesses in ways that can outpace existing defences.
Firms committing to more autonomous, agent-led models were flagged as a particular concern. As consumers increasingly delegate financial decisions and transactions to AI agents acting on their behalf, the review warns that risk could spread more quickly across an increasingly interconnected, model-based system. A failure or compromise in one widely used model or service could transmit rapidly across firms and markets rather than remaining contained within a single institution.
Third-party and supply-chain dependency was also raised as a growing exposure. As firms rely more heavily on external AI model providers and infrastructure, financial crime and cyber risk increasingly sit outside firms’ direct control, requiring stronger oversight of vendor relationships, data handling and system access than has traditionally been the case.
Importantly, the review does not treat this as a one-directional threat. The same underlying technologies used to attack financial systems can also strengthen defences, improving fraud detection, cybersecurity monitoring and regulatory surveillance. However, the review is clear that this defensive advantage will only materialise if firms, regulators and law enforcement have access to comparable AI capabilities and stronger information-sharing arrangements, allowing threats to be identified, prevented and responded to before significant harm occurs.
International cooperation featured as a related theme. AI creates cross-border dependencies on shared models, cloud infrastructure and technology providers, meaning that disruptions or failures can have simultaneous global impact. The review notes that while international principles and guidance on AI are emerging, regulatory approaches remain fragmented, reflecting differing national priorities and levels of AI maturity, an obstacle regulators will need to work through collectively.
What This Means for Firms
The review’s core message for financial crime frameworks is one of pace. Firms cannot rely on static, historically designed controls to counter threats that are themselves evolving through AI. Fraud detection, transaction monitoring, third-party oversight and governance frameworks will all need to account for AI-enabled attack methods, while firms must also consider how their own use of AI in customer-facing and back-office functions introduces new financial crime exposures that did not previously exist.
Although the Mills Review is not itself a source of new FCA rules, firms should consider its findings alongside existing regulatory obligations, including the FCA Principles for Businesses, the Senior Management Arrangements, Systems and Controls (SYSC) sourcebook, operational resilience requirements where applicable, and financial crime systems and controls under SYSC 6.1. The review provides a strong indication of the FCA’s future supervisory direction regarding AI governance, operational resilience and financial crime risk management.
How Complyport Can Help
Complyport can help firms prepare for the evolving financial crime risks highlighted in the FCA’s Mills Review by providing:
- Financial crime framework assessments to evaluate whether AML, fraud prevention and transaction monitoring controls remain effective against AI-enabled threats.
- Fraud risk and transaction monitoring reviews to strengthen systems against emerging risks such as synthetic identities, deepfakes and AI-assisted fraud.
- Operational resilience and incident response reviews to ensure firms are prepared for AI-driven cyber incidents and technology failures.
- Gap analyses against FCA expectations to identify weaknesses in governance, financial crime controls and AI risk management, together with practical remediation recommendations.
- Policies and procedures development to help firms update governance, financial crime and AI-related policies as regulatory expectations evolve.
- Board and Senior Management training on AI governance, emerging financial crime risks and regulatory developments to support effective oversight.
- Ongoing regulatory compliance support to help firms monitor evolving FCA expectations and implement proportionate, risk-based compliance frameworks.
Book a Meeting with a Complyport SME
To learn more and ensure compliance with upcoming regulatory developments, book a consultation with a Complyport Subject Matter Expert today.
Ask ViCA, your Virtual Compliance Assistant.
Access instant answers on regulatory changes.
Claim your complimentary 20 queries today! Register here: https://vica.chat






