The most revealing line in Nikhil Rathi’s speech to techUK last week was not about agents or tokens. It was an admission: “Legislation will never keep up.” Coming from the chief executive of the Financial Conduct Authority, that is not resignation. It is a strategy. The FCA has concluded that the old contract, in which Parliament writes detailed rules and the regulator enforces them, no longer fits a market where the technology reshapes itself faster than any statute can be drafted. In its place, the FCA is positioning itself as a steward that intervenes on judgement, before the law arrives. For any UK firm that touches financial services, directly or as a supplier, that shift matters more than any single rule it might publish this year.
What Rathi actually said
The speech, delivered on 24 June at techUK’s “Agents of Change” conference, was framed around a single question: how do you preserve trust, competition and resilience when markets move dramatically faster than the frameworks governing them? Rathi’s answer is the FCA’s strategy of “rebalancing risk”: accepting more risk in some places to unlock innovation, whilst concentrating supervisory firepower where systemic failure would do real damage.
Studies suggest more than 80% of financial-services firms are already adopting AI, so the regulator’s framing is deliberately about scale rather than novelty. The question is no longer whether firms use AI, but what happens when they all run it at once, on shared infrastructure, at machine speed.
Strategic Reality: When a regulator tells you that legislation “will never keep up”, it is telling you how it intends to behave. The FCA is signalling that it will act on judgement and intelligence, not wait for a statutory perimeter to catch up. Firms that plan around the old “no rule, no obligation” reflex are planning around a regulator that no longer exists.
The clearest precedent Rathi reached for was Buy Now Pay Later. It took roughly six years for BNPL to come formally into the FCA’s regulatory perimeter, but, as he put it, “we did not wait six years to intervene.” That single example is the whole thesis in miniature: the absence of a rule is no longer a safe harbour.
| The number | What it measures | Why it matters |
|---|---|---|
| 80%+ | Financial-services firms already adopting AI | The debate has moved from adoption to scale and concentration |
| ~6 years | Time for BNPL to enter the FCA perimeter | The FCA intervened long before the law formally arrived |
| 1 billion | Rows of data the FCA processes per day | The basis for its own agentic “first responder” on market abuse |
| 98% | Operational incidents last year tied to tech and cyber | Resilience is now a technology problem, not a back-office one |
| £1.3bn | UK payment-fraud losses last year (UK Finance) | Two-thirds of authorised fraud arrives via social media and messaging |
From rule-making to stewardship
The substance of the pivot is a change in what the FCA thinks its job is. “In some areas,” Rathi said, “we will still need detailed rules. But in others, traditional rule-making simply won’t work anymore.” The growing part of the role is what he called stewardship as well as supervision: helping firms and markets navigate technological change, working more collaboratively to understand emerging risks, and “even acting before legislation catches up.”
This is a meaningful departure from the instinct most firms have been trained on. Compliance teams are built to read rules and map them to controls. A stewardship regulator asks something harder: that firms reason about outcomes and intent in the absence of a precise instruction, and engage early when they are not sure. The FCA is, in effect, trading some legal certainty for speed, and asking firms to meet it there.
Critical Context: Stewardship cuts both ways. A regulator willing to act before the law catches up is also a regulator willing to bless innovation before the law catches up. The Supercharged Sandbox and AI Lab exist precisely so firms can build against real data and compute while the rules are still forming. The price of that latitude is engagement: the FCA gets to be permissive because it expects to be in the room.
It also reframes competition. Rathi was blunt that AI lowers barriers to entry and lets challengers establish at speed, and that the FCA welcomes this: “Our role is not to protect incumbents, but to ensure competition works as it should.” He went further on the regulator’s own toolkit, saying the FCA should expect to use its system-wide powers — under the Enterprise Act, the Digital Markets, Competition and Consumers Act, or beyond — “more frequently, not as exceptional interventions, but as a regular part of our toolkit.” Powers that were once reserved for crises are being normalised into routine supervision.
The two scaling bets, and how prescriptive regimes compare
Underneath the regulatory philosophy sit two concrete technology bets the FCA is willing to back.
The first is agentic systems: the shift Rathi drew from generative AI that summarises and detects, to systems that “coordinate and transact.” In retail markets that could mean smarter bill management and personalised investment strategies; in wholesale markets, agents supporting liquidity management and trading workflows. He called it “a profound step change to the structure and operation of markets,” whilst insisting that accountability for regulated activities must remain clear and human oversight must be designed in. The unresolved tension is plain: investors will be wary of delegating consequential decisions to systems they do not understand.
The second is tokenisation. On the Monday before the speech, the FCA approved Baillie Gifford, alongside Bank of New York Mellon, to launch the UK’s first natively tokenised authorised fund — “the entire transaction journey, end-to-end, on chain.” Banks are already piloting tokenised deposits that could cut friction and fraud in processes like home-buying. Tokenisation is being positioned not as a crypto sideshow but as the programmable plumbing that agentic finance will need.
Competitive Reality: Contrast the FCA’s posture with the EU AI Act’s prescriptive, risk-tier model, where obligations are fixed in legislation ahead of deployment. The UK is betting that a judgement-led, pro-innovation regulator can move faster than a codified rulebook — approving a live tokenised fund rather than waiting for a category to be legislated. That is a genuine divergence, and it is a bet. Codified rules give certainty; stewardship gives speed. Firms operating across both jurisdictions will have to run to two clocks at once.
| Stakeholder | What changes | Strategic implication |
|---|---|---|
| Large regulated firms | System-wide powers become routine supervision | Expect scrutiny of concentration and conduct even where no specific rule applies |
| Challengers and fintechs | Lower barriers, active FCA welcome | A real opening to win share at speed — but accountability still attaches |
| SMEs supplying the sector | Cloud, model and data dependencies get mapped | You may be assessed as part of a client’s resilience and Critical Third Parties picture |
| Firms also under the EU AI Act | Two divergent regimes to satisfy | Plan for a permissive-but-engaged UK and a prescriptive EU in parallel |
| Consumers | Agentic and tokenised services arrive sooner | Trust and clear redress become the deciding factor in adoption |
What firms should do about it
The pivot rewards firms that treat the regulator as a counterparty to engage rather than a rulebook to satisfy. A few priorities follow directly from the speech.
Map your dependencies before you are asked to. Rathi was explicit that dependencies, “particularly on model providers and third parties, must be properly mapped and governed,” and that the Critical Third Parties (CTP) regime “becomes more important than ever.” If your firm relies on a small number of cloud, model or data providers, that concentration is now a supervisory interest, not just an IT one.
Build accountability into agentic systems from the start. The FCA will tolerate agents that transact, but not ambiguity about who is answerable when one errs. Decide now where human oversight sits and how you would evidence it.
Engage early, especially on competition. The FCA repeatedly invited firms to surface risks, barriers and even competition-law concerns promptly. In a stewardship model, early engagement is not a courtesy: it is how you earn the latitude.
Take Action: Pick one AI use case heading towards “coordinate and transact” rather than “summarise and detect”, and write down, in a single page, who is accountable for its outcomes, which third parties it depends on, and what would happen if one of those providers failed. That page is the conversation the FCA is signalling it wants to have.
The maturity of your response should scale with your exposure. Firms early in adoption should focus on dependency mapping and governance basics. Firms already running AI in production should pressure-test accountability and resilience against the CTP lens. Firms building agentic or tokenised products should be in the Sandbox, the AI Lab or the AI Consortium, engaging whilst the rules are still being shaped, not after.
The challenges hiding in the optimism
Four tensions in the FCA’s position deserve scrutiny, because they are where the strategy could strain.
The first is concentration risk. The same shared infrastructure that makes AI cheap to adopt — a handful of cloud, model and data providers — creates a systemic single point of failure. Rathi was candid that resilience is becoming “a national security and system-wide challenge,” with risks “that no one firm, regulator or sector can fully see.” The CTP regime is the answer, but it is young, and the dependencies are deepening faster than the oversight.
The second is the accountability gap in agentic finance. A system that coordinates and transacts can act in ways its operators did not specifically foresee. “Designed with the right human oversight” is the right principle; operationalising it across thousands of automated decisions per second is the hard part, and the speech did not pretend otherwise.
The third is fraud at the intersection. The £1.3bn lost to UK payment fraud last year, with two-thirds of authorised cases arriving via social media and messaging, shows that the threat now sits across financial services, technology and telecoms at once. Faster models could help defenders and attackers equally, and 98% of operational incidents already trace to tech and cyber. No single regulator owns this surface, which is why Rathi pointed to joint work with Ofcom and pressure on tech platforms to “step up.”
Reality Check: The fourth challenge is the one firms least want to hear. Rathi warned that “some firms may fall behind the pace, while others rapidly rise,” and called the transition one that “might feel bumpy at times.” A regulator that refuses to protect incumbents is, by design, willing to let laggards lose. Falling behind on AI is no longer just a commercial risk; it is now a position the regulator has explicitly declined to insure against.
The strategic takeaway
The FCA’s message to UK financial services is that the regulator intends to move at the speed of the technology, and expects firms to meet it there. The value on offer is real: a pro-innovation supervisor approving live tokenised funds, opening sandboxes with Nvidia and Google, and standing up an Agentic Academy and an AI Consortium with the Bank of England, rather than freezing the market whilst it legislates. The FCA is even turning AI on itself, exploring an agentic “first responder” to monitor wholesale markets across a billion rows of data a day. The cost is a different kind of discipline: reasoning about outcomes without a precise rule, mapping dependencies before being asked, and engaging early enough to be trusted with latitude.
Three things will separate the firms that thrive from those that struggle. First, treating the regulator as a partner to engage rather than a rulebook to satisfy. Second, building accountability and resilience into AI systems by design, not as a later bolt-on. Third, moving deliberately whilst the rules are still forming, because in a stewardship model the firms in the room help write the approach.
Success Factor: The clearest near-term tells are already on the calendar. The Mills Review, on how AI could reshape retail financial services, is due within weeks, and a publication on good and poor AI practice is expected later in 2026. Both will convert the philosophy in this speech into concrete expectations. Reading them as soon as they land — and benchmarking honestly against them — is the cheapest competitive intelligence available to any UK firm this year.
For UK SMEs, the implication is easy to miss and important to grasp. You may never read an FCA handbook, but if you supply cloud, models, data or software to a regulated firm, the FCA’s new interest in concentration and Critical Third Parties reaches into your business through your clients’ due diligence. The pivot from rule-making to stewardship does not stop at the perimeter. It follows the dependencies, and AI has made those dependencies longer, deeper and more concentrated than ever.
Next steps for decision-makers:
- Identify your firm’s most critical AI and infrastructure dependencies, and who governs them
- Decide where human accountability sits for any system that transacts, not just advises
- Diarise the Mills Review and the good/poor-practice publication, and plan to benchmark against both
- If you operate across the EU too, document where the UK’s permissive stance and the EU AI Act’s prescriptive one diverge for your products
- If you supply regulated firms, expect Critical Third Parties questions, and prepare your resilience evidence now
This analysis is based on the speech “Rethinking regulation in the age of AI” delivered by Nikhil Rathi, chief executive of the Financial Conduct Authority, at techUK’s “Agents of Change: Generative and Agentic AI in Financial Services 2026” conference on 24 June 2026. The published text notes it is a drafted speech and may differ from the delivered version. Source: Financial Conduct Authority. Figures cited on fraud are drawn from UK Finance’s Annual Fraud Report as referenced in the speech.
Resultsense makes sense of AI in the UK for professionals and businesses. For more analysis of how AI policy and regulation affect UK firms, explore our Insights and News.