FCA Consumer Duty Principle 12 for AI agents

01 · § 1 · THE PRINCIPLE IN ONE SENTENCE

The load-bearing claim.

A firm must act to deliver good outcomes for retail customers. FCA Handbook · PRIN 2A.1.1R · in force 2023-07-31

Twelve words. The whole of PRIN 2A descends from that one rule. The original eleven Principles for Businesses had Principle 6, treating customers fairly, which the supervisor read as a process standard. Principle 12 is the outcome standard. Act to deliver is operative. Good outcomes is the test. The firm bears the evidential burden, and a process diagram does not satisfy it.

The placement of the rule matters. PRIN 2A.1.1R sits at the head of a Handbook chapter that is itself anchored to a Principle that overrides every product-specific Conduct of Business sourcebook below it. That means the duty applies to mortgage origination under MCOB, to consumer-credit decisions under CONC, to insurance pricing under ICOBS, to investment advice under COBS, to retail banking under BCOBS, and to any new retail product class the firm builds in 2026 that does not yet have its own sourcebook chapter. The principle is the test of last resort, and an AI agent operating across product lines is exactly the case the principle was written for.

An AI agent making any retail-facing decision is squarely in scope. A model that classifies a credit application, that prices an insurance renewal, that suggests a savings product, that triages a complaint, or that authors the response a contact-centre agent reads to a customer is, in every case, acting in the chain that produces the retail outcome. PRIN 2A.1.1R reaches the firm; the firm reaches the chain; the chain reaches the agent. The firm cannot disclaim the duty by pointing at the model vendor.

"Twelve words at the head of PRIN 2A bind the firm to the outcome. Everything else in the chapter is the supervisor explaining what counts as evidence."Warrant Compliance · 2026-05-09

02 · PRIN 2A.4–2A.7 · THE FOUR OUTCOMES

What good outcomes look like.

The four outcomes operationalise PRIN 2A.1.1R. They are not aspirational; each is drafted as a rule the firm must satisfy, and each generates a distinct evidence shape. An AI agent participating in any of the four chains inherits the supervisor's expectation of a per-decision record.

A firm must ensure that its products and services are designed to meet the needs, characteristics and objectives of customers in the identified target market. FCA Handbook · PRIN 2A.4 · products and services outcome

For a recommendation agent, the supervisor will want a per-decision record that the agent considered the customer's identified target-market segment and that the recommendation falls inside the manufacturer's intended distribution. A target-market check that exists only as a one-time approval at product-launch time does not satisfy a duty that applies to every retail interaction. The check has to live inside the agent's per-action envelope.

A firm must ensure that the price the customer pays for a product or service is reasonable relative to the benefits of the product or service. FCA Handbook · PRIN 2A.5 · price and value outcome

Price and value is the outcome that lands hardest on AI pricing engines. The firm must produce a fair value assessment per product cohort, but the supervisor will pull a specific customer case and read whether the price applied to that customer was reasonable relative to the benefits the customer received. For an AI-determined price, the per-decision record must capture the inputs to the price (including any inferred attributes), the cohort placement, and the residual customer-outcome risk. Reasonable relative to the benefits is a cohort-level test that has to survive a per-customer audit.

A firm must support retail customer understanding by ensuring that its communications equip retail customers to make decisions that are effective, timely and properly informed. FCA Handbook · PRIN 2A.6 · consumer understanding outcome

Consumer understanding governs every output an AI agent produces that ends up in front of a retail customer. A chatbot answer, a generated email, a personalised product summary, a quote document, an in-app explanation of a declined application: all of it is a communication subject to PRIN 2A.6. The evidence shape is a per-output communication-clarity record (reading-level estimate, key-information presence, prominence of fees and material risks, accessibility of the channel) that the firm can retrieve and tie to the specific customer who received it.

A firm must ensure that its support meets the needs of retail customers. FCA Handbook · PRIN 2A.7 · consumer support outcome

Support is where the AI agent itself most often sits. The outcome attaches whether the agent is the support channel, mediates the support channel, or replaces a human in the support channel. The evidence shape includes the escalation path the agent followed, the human-in-the-loop trigger conditions that fired or should have fired, and the resolution outcome the customer experienced. PRIN 2A.7 is also the outcome with the most explicit vulnerable-customer overlay: where a customer characteristic suggests vulnerability, the support quality is judged against that customer's needs, not against the average.

03 · PRIN 2A.2 · CROSS-CUTTING RULES

The three cross-cutting obligations.

PRIN 2A.2 sets out three cross-cutting rules that apply in addition to the four outcomes, not in substitution. They are the way the supervisor reads conduct that does not fall neatly inside one of the outcomes.

2A.2.4R

Act in good faith toward retail customers. SCOPE · honesty, fair dealing, and treatment consistent with the reasonable expectations of retail customers. The standard is FCA-defined, not industry-defined.

2A.2.8R

Avoid causing foreseeable harm to retail customers. SCOPE · harm the firm could reasonably anticipate, including harm via design choices in products, in distribution, in pricing, and in communications. Foreseeability is judged by what the firm knew or should have known.

2A.2.14R

Enable and support retail customers to pursue their financial objectives. SCOPE · positive duty. The firm cannot be neutral. Where the firm's design or distribution actively impedes the customer's stated objective, the rule is engaged.

The cross-cutting rule that lands hardest on AI is the second. Foreseeable harm reaches a model recommendation the firm cannot fully explain. The argument runs: a model whose decision boundary the firm cannot interrogate produces decisions whose harm the firm cannot foresee in the supervisor's sense; a firm that deploys such a model into retail channels has, by deployment alone, accepted a class of harm it cannot foresee. Explainability is the input to foreseeability, and foreseeability is the test under PRIN 2A.2.8R.

The supervisor's framing in the FCA Dear CEO letter on Consumer Duty implementation, dated 31 July 2023, made the position explicit. Where AI mediates a retail decision, the firm must surface explainability appropriate to the decision class, must retain that explainability as evidence, and must be able to deliver it to the supervisor on examination and to the customer on request. A model the firm cannot interrogate is, on the supervisor's reading, a model the firm cannot defend under PRIN 2A.2.8R.

The good-faith rule under PRIN 2A.2.4R has its own AI overlay. A model trained on data that systematically disadvantages a protected characteristic, even where the firm did not intend the disadvantage, is not consistent with the reasonable expectation a retail customer brings to the interaction. The firm must be able to evidence that the data, the design, and the operation of the agent are oriented toward the customer's interests, and the supervisor will read silence on that evidence as a finding.

The enabling rule under PRIN 2A.2.14R is the rule most often missed. It is a positive duty. An AI agent that defaults to the firm's preferred product, that hides the cheaper alternative behind a click, or that fatigues the customer into a decision that does not match the customer's stated objective is not enabling the customer's pursuit of that objective. The evidence shape is the per-action record that the agent considered the alternatives that mattered to the customer.

04 · PRIN 2A.7.5G · THE SMCR OVERLAY

The senior manager signs the chain.

PRIN 2A.7.5G and the FCA's Dear CEO letter dated 31 July 2023 frame Consumer Duty as a board and senior-management responsibility, not a compliance-function deliverable. Every firm in scope must designate a Senior Manager who owns the duty under SMCR. In most large firms the role attaches to SMF1 (Chief Executive Officer) or SMF2 (Chief Finance Officer), but the FCA accepts a designated alternative SMF where the firm's structure justifies it. Whoever holds the role carries the duty of responsibility under FSMA section 66A.

The duty is personal, not corporate. Where consumer harm follows an AI-driven decision and the firm cannot evidence the chain (rationale, oversight, alternatives considered), the SMF holder is exposed to personal fines, prohibition orders, or industry exclusion. The firm-level civil penalty is recoverable from the firm's balance sheet; the personal sanction is not. A record mapped to the specific obligation is the trail.

The quarterly board attestation cycle is the operational expression of the duty. The SMF holder must report to the board, at least annually, on the outcomes the firm's retail customers are experiencing, the issues identified, the remediation taken, and the residual risk carried into the next period. In practice firms run the report on a quarterly cadence so that the annual board pack is built on evidence the SMF has already validated. The supervisor will read the quarterly cadence into firm-wide expectations whether the firm formalises it or not.

SMF

DESIGNATED HOLDER

Single accountable individual. Typically SMF1, SMF2, or a designated other recorded on the firm's Statement of Responsibilities.

66A

DUTY OF RESPONSIBILITY

FSMA section 66A. Personal exposure where the firm fails to take reasonable steps to avoid the breach.

BOARD ATTESTATION

Annual minimum, quarterly in practice. The SMF reports outcomes, gaps, and remediation.

12y

PERSONAL LIABILITY HORIZON

FSMA section 66 limitation runs three years from FCA awareness, six from the act, with discoverability extensions.

What does the SMF holder actually need at the quarterly attestation? Three things. First, a per-cohort outcomes pack for every retail product line: target-market alignment under PRIN 2A.4, fair value evidence under PRIN 2A.5, communication-clarity evidence under PRIN 2A.6, support-quality evidence under PRIN 2A.7. Second, a per-decision retrieval capability so that when the supervisor pulls a specific customer case the SMF can stand behind the answer in the same minute. Third, a record that the SMF reviewed the outcomes, signed off, and named the residual risk carried into the next period. For an AI-driven product, the per-decision retrieval is the load-bearing piece, and a 90-day-rolling Datadog dashboard does not produce it.

That is why AI-decision logging is not optional for the SMF. The duty of responsibility under FSMA section 66A is a personal exposure that survives the SMF's tenure at the firm. An SMF who attests on evidence the firm cannot reproduce a year later, and on which the supervisor later finds harm, has attested a personal liability into existence. The structural answer is to make the per-decision evidence retrievable, independently verifiable without contacting Warrant, and external to any single observability tool the firm operates.

05 · PRIN 2A.10 · DATA AND OUTCOMES MONITORING

Regular monitoring is per cohort, per decision.

A firm must regularly monitor and review the outcomes its retail customers are experiencing. FCA Handbook · PRIN 2A.10 · monitoring of outcomes

For an AI-driven product the operative question is what counts as regular. The supervisor's working position, surfaced through Dear CEO correspondence and individual firm reviews across 2024 and 2025, is that the cadence must match the harm horizon of the product. A high-volume short-cycle product (consumer credit, retail FX) is monitored at most weekly and ideally daily; a long-cycle product (mortgage, life cover) is monitored quarterly, with per-decision retrieval available at any time on supervisor request.

Monitoring at the cohort level is necessary; it is not sufficient. The supervisor will at some point pull a specific customer case and ask whether the per-cohort monitoring would have surfaced the harm in time to remediate. Where the per-cohort monitoring runs on observability data that rotates at 30 to 90 days, and the customer case is older than 90 days, the answer is that the monitoring would not have surfaced the harm. PRIN 2A.10 is a per-cohort monitoring rule that depends on a per-decision evidence trail.

The Warrant evidence record is built to match this exact shape. It identifies the product line and the regulatory perimeter; captures the per-action subject, inputs, outputs, and timestamps; carries a per-action authorisation envelope (within purpose, preconditions met, human oversight appropriate, reversible, justification); and binds each action to the specific Handbook clauses engaged. The result is a per-decision evidence record that maps directly to PRIN 2A.10's monitoring obligation: cohort-level rollups read straight off the per-decision records, and per-decision retrieval is available because the records exist.

The architecture answer matters. A monitoring system that reads observability data and produces a dashboard answers a different question than the one PRIN 2A.10 asks. The Handbook asks: were the outcomes monitored, and is the firm acting on them. The Warrant evidence of record answers that question per decision and per cohort, and produces an evidence record, independently verifiable without contacting Warrant, that the SMF can hand the supervisor without negotiating retention.

06 · PS22/9 § 4.45 · THE CLOSED-PRODUCTS CLOCK

Closed products fell into scope on 2024-07-31.

Consumer Duty entered into force on 31 July 2023 for new and existing products and services. The FCA gave firms one additional year to apply the duty to closed products and services, that is, products that were no longer offered to new customers but continued to serve existing ones. PS22/9 paragraph 4.45 set the deadline at 31 July 2024. Both deadlines have now passed.

What that means in May 2026 is that the closed-products perimeter is a live supervisory area. The FCA expects evidence of historical-decision review for closed books that are still in run-off: legacy mortgage portfolios that originated before the duty entered into force; closed insurance products on which the firm continues to take premium; investment products that are no longer marketed but remain on existing customers' books. The supervisor's working position is that the duty applies prospectively to ongoing decisions on those books, including pricing, communications, and support.

For AI agents that adjudicate closed-product issues the implication is direct. A model that handles arrears on a legacy lending portfolio, a model that prices renewal on a closed insurance book, a model that triages complaints on a discontinued investment product, all sit inside the closed-products perimeter and therefore inside PRIN 2A. The supervisor reads the per-decision record the same way regardless of whether the underlying product is open or closed. An AI agent that cannot retrieve the per-decision record for a closed-product case from 2024 cannot defend the case in 2026.

07 · ANNEX 1 · WHAT GOOD EVIDENCE LOOKS LIKE

The shape of a defensible evidence record.

PRIN 2A's fair value assessment framing carries through to the broader evidence shape. The supervisor expects a record that names, per cohort and per decision, which sub-principle the action engaged, what mitigating control was applied, and what residual customer-outcome risk the firm accepted. The evidence is per cohort because the four outcomes operate at the cohort level; it is per decision because the per-decision record is the one the supervisor will pull in an examination.

A defensible record has six fields. First, the identification of the retail customer cohort and the specific customer where data protection allows. Second, the identification of the AI action and the actor (model identity, version, prompt template, deployment scope). Third, the inputs the agent considered, including any inferred attributes that fed the decision. Fourth, the output the agent produced and the rationale it can defend. Fifth, the human oversight trigger conditions that fired or should have fired, with the reviewer identity if the trigger fired. Sixth, the binding to the specific Handbook clauses engaged.

Warrant package_id 7de85ceaeac42a47 is a worked example. The package was generated from a fintech trace operating across the EU and UK, and although the framing is EU AI Act Article 12 and Article 13, the per-action evidence shape is FCA-aligned outcomes assessment. The binding to PRIN 2A clauses appears in the per-action regulatory_obligations field. The PDF is retrievable, independently verifiable without contacting Warrant, and is the kind of artefact an SMF can hand to a supervisor without further work.

Sample evidence package · PRIN 2A clauses bound per actionINDEPENDENTLY VERIFIABLE WITHOUT CONTACTING WARRANT

→ /v/7de85ceaeac42a47

08 · FSMA 2000 § 206 · THE PENALTY REGIME

Unlimited civil penalty, personal SMCR exposure.

The financial penalty regime sits in the Financial Services and Markets Act 2000, section 206. The provision empowers the FCA to impose a financial penalty on an authorised person of such amount as it considers appropriate, where the firm has contravened a relevant requirement. The statute does not cap the amount. In practice the FCA's penalty-setting policy runs through DEPP 6 (the Decision Procedure and Penalties manual), but the statutory ceiling is unlimited.

The £15 million figure that circulates in industry conversation is a comparison anchor (the EU AI Act Article 99(4) ceiling), not a UK statutory limit. Recent UK Final Notices have crossed £100 million on broader conduct grounds: the FCA Final Notice against TSB Bank dated 10 December 2024 carried £10.9 million in customer redress under the broader treating-customers-fairly umbrella that reads directly into PRIN 2A supervisory letters. The Final Notice against Coverage Underwriting dated 7 May 2025 was the first to cite PRIN 12 explicitly in firm-level enforcement. Across both notices the supervisor's framing was that PRIN 12 expands the duty of care, not codifies it, and the firm bears the evidential burden.

The personal SMCR exposure is the lever that creates a stronger evidence-discipline incentive than the firm-level penalty. A firm-level fine is a balance-sheet event the firm can accommodate in the next reporting cycle. A personal sanction against an SMF holder, including prohibition orders that exclude the individual from authorised-firm employment, is career-ending. The SMF holder who signs a quarterly attestation on evidence the firm cannot reproduce is, in effect, signing a personal liability into existence. The structural answer for the firm is to make the per-decision evidence retrievable for the duration of the SMF's exposure, not for the duration of the firm's standard observability cycle.

The supervisor's casework prioritisation in 2026 reads consistently with this framing. The FCA Dear CEO letter to consumer credit firms dated 15 April 2025 signalled that vulnerable-customer harm in AI-influenced decisioning would be treated as priority casework for 2026 supervision cycles. Multiple SMF holders have already been referred for assessment over AI-driven retail outcomes; counsel reviewing PRIN 2A in May 2026 should expect that a specific customer case file (vulnerable, loss-making, opaque rationale) will be the entry point, not the firm-wide management-information pack.

09 · WHERE WARRANT MAPS PRIN 2A

The clause-to-field map.

The table below names the Handbook clause, the evidence the AI agent must produce per action, and the Warrant evidence field that carries the record into the evidence package. The mapping is the shape an SMF can hand to a supervisor without further engineering.

PRIN 2A clause	What AI must evidence	Warrant evidence field
2A.1.1R · good outcomes	Every retail-facing decision rationale.	trace.actions[*].decision_rationale
2A.4 · products and services	Target-market alignment per recommendation.	classification.target_market_check
2A.5 · price and value	Price-vs-benefit assessment per offer.	trace.actions[*].fair_value_assessment
2A.6 · consumer understanding	Communication-clarity audit per output.	extract.communication_clarity_score
2A.7 · consumer support	Escalation path and human-in-loop trigger.	trace.actions[*].human_oversight_trigger
2A.10 · monitoring	Outcomes-review trail per cohort.	regulator_evidence.cohort_monitoring_report
2A.2.4R · good faith	Customer-interest orientation per decision.	assess.authorization_envelope.within_purpose
2A.2.8R · foreseeable harm	Harm-avoidance assessment per action.	assess.authorization_envelope.justification
2A.2.14R · enable objectives	Alternatives considered per recommendation.	trace.actions[*].alternatives_considered
SMCR · SMF · 66A	Senior Manager attestation binding.	trace.attested_by

The mapping is reversible. Given a supervisor's question on a specific clause the firm reads the column, retrieves the field, and produces the per-decision record. Given a specific customer case the firm reads the per-decision record and produces the bound clauses. Either direction is one query against the evidence package.

10 · THE DISCLOSURE CLOCK

Six years after the relationship ends.

DEPP 6.5.4G plus the SYSC retention rules plus the sectoral retention rules combine to a six-year minimum after the customer relationship ends, with longer periods for vulnerable customers and for products with long durations. In practice the operative retention floor for Consumer Duty evidence is six years post-relationship, and the supervisor will treat anything shorter as a record-keeping breach in itself.

For a 30-year mortgage portfolio the implication is direct. The customer relationship is the duration of the mortgage; the retention horizon is six years after the relationship ends; the combined evidence horizon is 36 years from origination. For a 25-year life cover policy the same arithmetic produces a 31-year horizon. For a workplace pension that pays out over a 30-year decumulation phase after a 40-year accumulation phase the horizon runs to 76 years from the first contribution. An AI agent that adjudicates pricing, communications, or support on any of these books needs an evidence record that survives across the full horizon.

Standard observability does not survive that horizon. Application logs rotate at 30 to 90 days. Cloud-provider audit trails rotate at 1 to 3 years on default settings. Even long-retention archive tiers run on the order of 7 to 10 years. None of these match the Consumer Duty evidence horizon for long-cycle retail products. The structural gap is real and growing.

The Warrant evidence package closes the gap by making retrievability a mathematical property rather than an infrastructure property. The package is independently verifiable without contacting Warrant: the retention of the underlying file is the firm's choice, but the verification of the file is independent of any retention decision the firm makes. Across a 36-year horizon the firm's standard observability stack will rotate dozens of times; the verifiable package will not.

That is the line the regulator-grade evidence stack draws. PRIN 2A says the firm must monitor outcomes and produce evidence on supervisor request. DEPP 6.5.4G says the firm must hold the evidence for at least six years after the relationship ends. The combined obligation does not survive on default observability infrastructure; it does survive on an evidence record the firm controls and the supervisor can verify independently without contacting Warrant. The artefact is the answer to the disclosure clock.

11 · FAQ

Questions a CCO and an SMF holder ask first.

Does PRIN 2A apply to me if i am not UK-domiciled?

PRIN 2A binds every firm authorised by the FCA, irrespective of group domicile. A non-UK parent operating through a UK-authorised subsidiary, branch, or appointed representative is in scope through that authorised entity. The FCA reads through to the chain that delivers the retail outcome in the UK market, and a non-UK group entity that participates in the chain inherits the duty by participation.

Does an AI agent making a recommendation count as "consumer support"?

Yes. PRIN 2A.7 binds the firm to deliver support that meets the needs of retail customers. Any automated channel that mediates the retail interaction, including an AI agent, is part of that support and inherits the obligation. The firm cannot offload the duty to the model vendor; the duty travels with the FCA-authorised firm that operates the channel.

What is the difference between PRIN 2A and the original eleven Principles for Businesses?

Principle 12 raises the standard above Principle 6 (treating customers fairly). PRIN 2A is the Handbook chapter that operationalises Principle 12 into four outcomes, three cross-cutting rules, and a continuous outcomes-monitoring obligation. The shift is from process compliance to outcomes compliance. A firm that satisfied Principle 6 by following a documented process can fail PRIN 2A by producing the wrong outcome.

How long must i retain Consumer Duty evidence?

DEPP 6.5.4G plus the SYSC and sectoral retention rules combine to a six-year minimum after the customer relationship ends, with longer periods for vulnerable customers and for products with long durations such as mortgages or pensions. A 30-year mortgage portfolio implies a 36-year evidence horizon, and the firm's standard observability stack does not survive that horizon.

Does the SMF have personal liability for an AI's decision?

Yes. The Senior Manager assigned Consumer Duty owns the duty of responsibility under FSMA section 66A. Where consumer harm follows an AI-driven decision and the firm cannot evidence the chain (rationale, oversight, alternatives considered), the SMF holder is exposed to personal fines, prohibition orders, or industry exclusion. A record mapped to the specific obligation is the trail.

What does "fair value" mean for an AI-determined price?

PRIN 2A.5 requires the price to be reasonable relative to the benefits. For an AI-determined price the firm must evidence a fair value assessment that captures the inputs to the price, the customer benefit considered, and the residual customer-outcome risk. The assessment is per cohort, per product, and reviewable per decision; a one-time assessment at product-launch time does not satisfy the ongoing duty.

Can a Datadog dashboard satisfy the monitoring obligation?

No. Operational dashboards measure system uptime and latency, not retail outcomes. PRIN 2A.10 requires regular monitoring and review of the outcomes customers are experiencing, retrievable per cohort and per decision. Standard observability rotates at 30 to 90 days; the Consumer Duty horizon runs in years. The monitoring obligation depends on a per-decision evidence trail the firm can retrieve long after the underlying observability data has rotated.

What is the connection between PRIN 2A and the EU AI Act?

Both regimes reach the same AI agent through different doors. The EU AI Act binds the high-risk AI system through Article 12 logging and Article 13 transparency. PRIN 2A binds the FCA-authorised firm through outcomes evidence per retail decision. A single Warrant evidence package can satisfy both regimes for a cross-border deployment, because the per-action shape that satisfies Article 12 is the per-action shape that satisfies PRIN 2A.

12 · READ THE SOURCE

Read the source directly.

Authored by Warrant Compliance, the regulatory-analysis function at Warrant. [email protected]. Editorial commentary on regulatory text. Not legal advice. The verbatim quotations of PRIN 2A.1.1R, PRIN 2A.4, PRIN 2A.5, PRIN 2A.6, PRIN 2A.7, and PRIN 2A.10 reflect the FCA Handbook text in force on 9 May 2026.

FCA Consumer Duty Principle 12, line by line.