UK financial services lacks shared AI governance standard, Zango report warns
TL;DR: A new report from compliance technology firm Zango AI, drawing on interviews with senior leaders at Lloyds, Monzo, Stripe and others, warns that the UK has no sector-specific implementation guidance for AI governance in financial services. The US Treasury published a Financial Services AI Risk Management Framework in February, developed with 108 institutions; Singapore’s MAS published an equivalent in March. The UK and EU have nothing comparable.
The report calls for practitioner-built guidance modelled on the Joint Money Laundering Steering Group — the industry-developed financial-crime compliance standard that carries government endorsement without being mandated by regulators. Lord Clement-Jones, House of Lords spokesperson on science and tech and co-chair of the all-party parliamentary group on AI, writes in the foreword that “what is immediately missing is the translation of high-level regulatory principles into day-to-day operational practice. We cannot simply wait for the aftermath of the first major AI-fuelled financial scandal to force us into action.”
What the gap looks like in practice
Zango’s central finding is that UK FS firms are deploying generative and agentic AI faster than their compliance functions can govern them, with several institutions unable to identify all the AI tools currently in use across their own organisations. Dean Nash, Zango adviser and global COO (legal) at Santander, told Finextra: “The kinds of AI systems now being adopted across financial services don’t behave the way the systems we built our governance frameworks around behaved. They make judgements, produce different outputs in different contexts, and cannot be fully tested in advance.”
The report quotes a Zango figure of $579 billion in global fraud losses in 2025, with 90% of financial professionals reporting an increase in AI-enabled attacks. The framing is that without shared operational guidance, governance gaps “can be exploited at scale”.
Looking forward
The report lands as the Bank of England prepares to convene the Treasury, FCA and National Cyber Security Centre to assess risks from Anthropic’s Mythos model — a frontier-model evaluation that will be hard to confine to a single product. Add the EU AI Act trilogue stalling overnight (potentially returning UK firms to an August 2026 Annex III deadline) and the practical pressure on UK FS compliance teams is acute. A JMLSG-style industry standard would let UK firms move faster than waiting on FCA, PRA or BoE rulemaking — but it requires the trade bodies (UK Finance, AFME) to commit resource. Expect renewed lobbying for that within the next quarter, with vendor-led standards initiatives competing for the gap.