The FCA Code of Conduct extension covering AI-assisted communications takes effect on 1 September 2026. From today, 16 June 2026, that is exactly 77 days. If your firm is using voice AI to interact with retail customers, certified persons, or any approved-person workflow under the Senior Managers and Certification Regime, you sit inside that countdown.
This is the operational deployer checklist — the script, the evidence pack, the attestation, the 90-day plan, and the contract terms. It is the second half of the conversation we started in our FCA AI governance guide for 2026, and it sits alongside our Article 50 enforcement countdown for any UK firm with EU customer flows. The two regulations bite on different scopes, but the practical evidence pack overlaps about 70%.
This is shipped by the team behind Dilr Voice — enterprise voice AI live with FCA-regulated lenders, brokers, and collections operators in the UK. Or see the AI operating model stage of DATS, where Senior Manager attestation gets stitched into the weekly cadence.
McKinsey State of AI 2025
McKinsey 2025
ServiceNow Maturity Index 2026
BCG Widening AI Value Gap 2025
What the FCA Code extension actually covers
The FCA Code of Conduct (COCON) has, until 2026, focused on individual conduct: integrity, due skill, market conduct, customer treatment, the Senior Manager Conduct Rules. The 1 September 2026 extension reads those duties through any AI system that materially contributes to the communication with a regulated customer. Voice AI sits at the centre of that scope.
The extension is not a separate sourcebook. It is a clarification — joined-up with Consumer Duty Principle 12, with the AI-relevant elements of SYSC, and with the FCA's ongoing supervisory stance set out across the Treasury Committee response earlier in 2026. Read together, the package gives an FCA-supervised firm three operational obligations from 1 September 2026 onwards.
One: the customer must know they are interacting with AI. Disclosure is not optional and not buried at the end of the call. The interpretation of FCA's COCON 4 (due care) read with Consumer Duty cross-cutting Outcome 1 is that AI identity is a material fact for any retail customer. Voice AI deployments that disclose only on first ring, or only in a recorded preamble, do not meet the standard. The disclosure must be upfront, unambiguous, and verifiable in the audit trail.
Two: the firm must hold attestation evidence for every decision the AI takes that affects a customer outcome. This is the SM&CR transmission of an existing standard — every approved person already attests they have reasonable oversight of the systems they supervise. From 1 September, the FCA's supervisory expectation is that "reasonable oversight" of an AI-assisted communications channel includes a documented evidence pack covering: input training data lineage, prompt versioning, escalation triggers, hallucination rate, post-call accuracy, and a clear audit trail mapping each customer interaction to its model version.
Three: Consumer Duty crossover is non-bypassable. Where AI voice contributes to information-giving (Consumer Understanding outcome), product matching (Products and Services outcome), or to a sales or collections journey (Price and Value, Consumer Support outcomes), the firm must be able to evidence that the AI does not foreseeably cause harm. The FCA's guidance is consistent with the broader AI tool inventory expectation — if you can't list it, you can't supervise it.
If your firm operates only in the UK, this is your primary clock. If you also have EU customer flows, your second clock is the EU AI Act Article 50(1) deadline of 2 August 2026 — see our Article 50 deployer countdown for that workstream. The two regulations expect different disclosure language but the same underlying audit evidence.
Who is actually in scope — deployer vs provider
The Code extension applies to the regulated firm that uses voice AI to communicate with its customers. That is the deployer. The voice AI vendor is the provider. Most enterprise vendors will not be FCA-authorised themselves. That does not push the obligation back onto them — it leaves it firmly with the authorised firm.
This is the same split we wrote about in our voice AI MSA contract clauses guide and matches the deployer/provider split familiar from EU AI Act work. The split has three procurement consequences.
The deployer cannot outsource the disclosure script. Every word the AI says about its own identity is the firm's responsibility, even if the vendor wrote the boilerplate. The 90-day plan we lay out below assumes the regulated firm reviews and signs off on every disclosure variant, in every language, in writing.
The deployer must hold the audit log itself. A vendor-hosted dashboard is not enough. The FCA's supervisory expectation is that the regulated firm can, on request, produce the audit log for any customer interaction within a defined SLA — typically within five business days for a Section 165 information request. If the vendor's contract gives the deployer read access but not export, that is a procurement red flag and we cover it in the contract section.
The deployer must run the Consumer Duty assessment. No vendor can run a Consumer Duty fair-value or foreseeable-harm test on the firm's behalf. The firm runs it, documents it, and refreshes it at the cadence its board has set — usually quarterly, sometimes monthly for high-risk products like consumer credit collections or unsecured retail lending.
That all said, the deployer's evidence pack depends on the vendor doing certain things upstream. The next section is the clause architecture that gets the deployer the evidence it needs.
The six-clause disclosure architecture
This is the centrepiece of the 90-day plan and the thing most voice AI deployments will need to rewrite between now and 1 September. The six clauses below are not a script — every firm and every customer journey needs its own. They are the structural elements every disclosure must contain to be defensible under FCA supervision.
-
01Identity clause. The customer hears, in the opening seconds, that this is an automated AI system, not a human. Phrasing is firm-specific but the substance is non-optional.
-
02Purpose clause. The customer is told what the call is for, what data it will handle, and what outcomes the AI is empowered to deliver. Vague language ("we'd like a brief chat") fails the test.
-
03Escalation clause. The customer must know they can speak to a human at any point and how to trigger that. "Say 'agent' or 'human' at any time" is a standard pattern.
-
04Recording and data clause. The customer is told the call is recorded, transcribed, and used by the firm under its retention policy. UK GDPR lawful basis is named or available on request.
-
05Limits clause. Where the AI cannot answer a question (regulated advice, vulnerability flag, complaint, anything outside scope), it states the limit and triggers the escalation. The AI is never allowed to improvise a regulated answer.
-
06Verification clause. Every disclosure event is logged with a timestamp and tied to the model version. The audit log can reproduce, for any customer interaction, the exact words the AI used and when.
The non-obvious one is clause five. Most voice AI deployments we audit in regulated firms have well-built clauses one to four — identity, purpose, escalation, data — and break on clause five because the AI has been trained on a knowledge base broad enough that it will attempt regulated advice if a customer asks the right question. The architecture decision that prevents this is set out in our voice AI tool calling and orchestration guide and supported by the voice AI hallucination procurement gate — the AI must have a hard-coded refusal set, not a soft prompt instruction, for any topic outside its sanctioned scope.
Clause six is also subtle. The verification log must be immutable — the FCA cannot accept evidence that has been edited after a customer complaint is filed. Practically that means write-once storage, hash chain or equivalent, and a clean linkage to the model version, prompt version, and orchestration configuration in force at the call timestamp. The vendor's audit log is only useful if the firm can verify those linkages independently. Our voice AI auditability guide walks the procurement-grade test for this.
The attestation evidence pack — eight artefacts
Senior Managers will be expected to attest, from 1 September, that they have reasonable oversight of any AI voice channel that affects customer outcomes. Attestation without evidence is exposure. The eight-artefact pack below is what we ship to regulated clients when we build out the FCA evidence layer at the operating model stage of DATS.
| # | Artefact | What it proves |
|---|---|---|
| 1 | Sanctioned scope register | Every topic the AI is permitted to address, mapped to product, customer segment, and Consumer Duty outcome |
| 2 | Prompt versioning log | Every change to the system prompt, with date, approver, business reason, and rollback path |
| 3 | Disclosure script library | Every disclosure variant — language, channel, customer segment — with sign-off chain and live-from date |
| 4 | Audit log specification | Field-by-field schema of what is captured per call, retention period, export format, immutability mechanism |
| 5 | Escalation matrix | Triggers for human handover, with SLAs, by product and segment, and the data passed at handover |
| 6 | Vulnerability gate | The signals the AI must detect that force a human handover irrespective of intent — and the test cases that prove it works |
| 7 | Consumer Duty assessment | The four outcomes mapped to the AI's behaviour, with foreseeable-harm test results and refresh cadence |
| 8 | Vendor obligations confirmation | Signed vendor statement confirming the FCA-relevant terms — data residency, training opt-out, audit access, exit support |
Each artefact has an owner — usually a different one. The escalation matrix sits with operations. The Consumer Duty assessment sits with risk and compliance. The vendor obligations sit with procurement and legal. The sanctioned scope register is a joint product. The Senior Manager attesting needs to know that each owner has signed off in writing, and that the firm's governance framework names them.
Artefact six — the vulnerability gate — is the one most firms underbuild. The FCA's Consumer Duty work since 2023 has steadily raised the standard for what counts as adequate vulnerability detection on voice channels. From 1 September, an AI voice deployment that does not detect and act on hallmark vulnerability signals (cognitive impairment markers, indications of financial distress, signs of coercion) will struggle to defend its Consumer Duty assessment. The vulnerability gate sits architecturally upstream of the AI's response logic — it is not a sentiment-analysis bolt-on. Our voice biometric data security guide covers the related Article 9 GDPR exposure on the data the gate captures.
Consumer Duty crossover — where Principle 12 bites
Consumer Duty is the lens through which the FCA reads almost every other rule. The Code extension does not change that — it reinforces it. The four outcomes are familiar; the application to AI voice is where the work is.
Consumer Understanding outcome. The AI must produce communications that the customer can understand. Speed of speech, vocabulary level, acronym use, and the disclosure clauses all interact. The test the firm needs to run is whether a representative sample of customers — including vulnerable customers — actually understand the AI's communication, not just rate it as polite. The Code extension reads through to a documented testing protocol.
Consumer Support outcome. The AI must support customers in pursuing their financial objectives without unreasonable barriers. The escalation clause is the operational pivot — if the AI does not escalate fast enough when a customer cannot be helped by an automated channel, the firm fails this outcome. Our escalation and handover design guide sets out the architecture pattern that holds up under FCA scrutiny.
Products and Services outcome. If the AI is involved in any product match, recommendation, or eligibility check, the firm must evidence the match is suitable. This is the Code extension's strictest gate for retail lending, mortgages, and consumer credit. The product matching logic must be testable, documented, and refreshed at the cadence the product governance committee has set.
Price and Value outcome. Where the AI participates in collections, repayment plan setting, or fee discussions, the firm must evidence the customer is treated fairly on price. This is the gate most relevant to firms using AI voice in fintech collections and KYC workflows — the AI cannot push a customer towards a more expensive option than a human agent would have offered. The Consumer Duty assessment artefact in the evidence pack must speak directly to this.
If the firm is also subject to the EU AI Act through its EU customer base or its product distribution, the Consumer Duty assessment dovetails with the Article 50(1) disclosure obligations and the Article 50(2) synthetic content marking obligations under the omnibus delay. The firm runs one assessment, references both regimes, and stores both in the same evidence pack.
SM&CR — the personal accountability dimension
This is the line item most regulated firms underestimate. The Senior Managers and Certification Regime makes individuals personally accountable for the systems they supervise. The Code extension applies the existing standard — reasonable oversight — to AI voice, but the practical effect is that a Senior Manager personally signs off on the AI's behaviour with their own name and reputation on the document.
The Senior Manager Conduct Rule SC4 (taking reasonable steps to disclose information to the FCA) is the operative one. If the AI voice channel has a known weakness — a category of complaint the firm has not yet addressed, a Consumer Duty outcome the channel has not yet been formally assessed against, a vendor obligation that is contractually weak — the Senior Manager has an active disclosure obligation under SC4. Knowing about it and not disclosing is itself the breach.
The structural consequence is that the attestation evidence pack must be live — not a snapshot taken on 31 August 2026 and stored. Every change to the AI's behaviour goes through the change-control process and updates the relevant artefact. The Senior Manager's quarterly review (we'd argue monthly for the first year) goes through the artefacts and confirms each is current. This sits inside the COO's operating cadence we cover in our operating model design guide and is one of the points we walk through in the execution office when an FCA-regulated firm engages us to run the rollout.
Sector calibration — banking, insurance, wealth, consumer credit, IFA, collections
The Code extension applies across the FCA regulatory perimeter but the practical work differs by sector. The table below maps the highest-risk Consumer Duty outcome by sector and the practical Code extension priority.
| Sector | Highest-risk Consumer Duty outcome | Practical Code extension priority |
|---|---|---|
| Retail banking | Consumer Support | Escalation matrix, vulnerability gate, complaints handling integration. AI voice volume is high — service desk, fraud confirmation, payment dispute intake |
| Insurance | Products and Services | Suitability evidence on product-match journeys. FNOL intake at scale needs the insurance claims architecture we've published |
| Wealth and IFA | Consumer Understanding | High-vulnerability customer base. The AI must not be permitted to discuss anything resembling regulated advice — clause five must be heavily locked down |
| Consumer credit (lending) | Price and Value | Pre-contract information delivered by AI must meet the same standard as written disclosure. Affordability check journeys are particularly exposed |
| Collections | Price and Value | The highest-volume AI voice use case in FS. Affordability assessment cannot be left to AI alone — the gate must escalate to a human at the first affordability signal |
| Brokerage and intermediaries | Consumer Understanding | The disclosure must explain the principal-agent relationship clearly. Many AI voice deployments here muddle who is liable for what — the Code extension forces clarity |
The collections case is worth a particular flag. We see collections as the highest-volume AI voice deployment in UK financial services and the highest-risk under the Code extension. The collections and KYC architecture we published in May covers the structural design, but every collections AI deployment in scope needs its vulnerability gate and affordability escalation rebuilt for the 1 September deadline. The penalties — both regulatory and reputational — for a Consumer Duty failure in collections are disproportionate to the volume of calls affected.
Five MSA clauses tightened to FCA scope
The full eleven-clause MSA template is in our voice AI MSA contract clauses guide. The five clauses below are the FCA-specific subset every regulated firm should hold in its vendor contract before 1 September.
Clause one: UK data residency with FCA inspection right. Call recordings, transcripts, and the audit log must be stored on UK infrastructure or under a documented adequacy decision. The contract must give the regulated firm an inspection right that can be passed through to the FCA on request. Our data residency guide covers the architectural patterns; the contractual passthrough is the procurement layer.
Clause two: training data exclusion. The vendor must not use the firm's customer call data to train its general models. Where the vendor uses data for firm-specific tuning, the scope and consent basis must be explicit. This clause is non-negotiable for any firm whose DPIA flags Article 9 special category processing.
Clause three: audit log access and export. The firm must have read access, export rights, and a documented format that downstream tooling can ingest. The contract specifies the SLA — typically 5 business days for a regulatory request, 24 hours for an urgent complaint. Without this clause, attestation artefact four is undeliverable.
Clause four: Article 50 disclosure architecture and refresh path. The vendor must support firm-specific disclosure clauses (the six clauses above), expose them in a way the firm can review and update, and provide a refresh path that does not require re-procurement. This clause is identical to the Article 50(1) clause we covered in the Article 50 enforcement deployer checklist — the same contract serves both regimes.
Clause five: regulatory change indemnity. Where a future FCA pronouncement adds material obligations — a new outcome test, a new evidence requirement — the vendor commits to implementing the technical changes within a defined window (90 days is the standard ask). The firm carries the disclosure obligation; the vendor carries the technical change.
These five clauses overlap heavily with the clauses the Article 50 deployer checklist requires. A regulated firm with both UK and EU customer flows should run a single MSA negotiation that covers both regimes — separate MSAs create gaps in obligation that procurement will not see until enforcement.
The 90-day operational plan
This is the day-band plan we run when we engage with an FCA-regulated firm on a Code extension readiness sprint. Each phase has a named owner, a sign-off gate, and a Senior Manager checkpoint.
Days 0–30: scope and inventory
The first phase establishes what is in scope and who owns it. The deliverables are the sanctioned scope register, the deployer-vs-provider map, and the named Senior Manager for the AI voice channel.
The exercise begins with an end-to-end audit of every customer-facing call journey that involves AI voice. For each journey: the product, the customer segment, the regulated firm in the chain, the AI vendor, the data the AI handles, the outcomes the AI is empowered to deliver, the existing disclosure language, the escalation triggers, and the current audit log capability. This is the AI tool inventory exercise tightened to FS.
Phase one ends with the Senior Manager naming themselves on the FCA register entry for the AI voice channel and the operating committee receiving the scope register for sign-off. If the firm has more than one AI voice deployment — common in larger firms running both inbound and outbound — each deployment gets its own scope register and its own Senior Manager owner.
Days 30–60: disclosure, audit, Consumer Duty
The second phase ships the six-clause disclosure architecture, the audit log infrastructure, and the Consumer Duty assessment. By the end of phase two the firm has executable code change in production and a documented evidence pack covering artefacts one through six.
Disclosure first. The compliance team drafts the six clauses per customer segment. Operations runs UAT — a representative cohort of customers (including vulnerable customer test cases) listens to the disclosure variants and the firm captures comprehension data. Risk reviews the cohort design and the comprehension thresholds. The disclosure script goes live by day 45, leaving 15 days for monitoring before phase three begins.
Audit log next. The vendor configuration is set up to write to the firm's own immutable log infrastructure. The schema captures every field artefact four requires. The 5-business-day export SLA is tested with a synthetic request. If the vendor cannot deliver, the contract negotiation re-opens — there is no time-honoured way to make 1 September with a vendor that cannot export audit data.
Consumer Duty in parallel. The four outcomes get tested against the AI's actual behaviour using the cohort from disclosure UAT plus a stress cohort drawn from prior complaints. The foreseeable-harm test is documented; remediation actions for any failures are scoped and tracked. The board's Consumer Duty committee — or equivalent — receives the assessment by day 55.
Days 60–90: attestation, sign-off, ongoing cadence
The third phase produces the signed attestation evidence pack and embeds the ongoing cadence into the operating model.
The Senior Manager reviews all eight artefacts. Each artefact owner walks them through the substance, the gaps, and the remediation plan. The attestation is signed before 1 September 2026 — the recommendation is to target 25 August so there is buffer before the deadline.
The operating cadence is the bit firms most often skip. The attestation is not a one-time event — Senior Manager Conduct Rule SC4 makes it a live disclosure obligation. The firm should establish a monthly review of the AI voice channel for the first six months after 1 September and quarterly thereafter. Each review touches the eight artefacts, surfaces material changes, and either confirms or refreshes the attestation. The operating model and execution office phases of DATS embed this cadence in the firm's standing committee structure.
Phase three also closes the loop with procurement. The five MSA clauses above are confirmed live. If any vendor obligation is unconfirmed by 1 September, the Senior Manager has an SC4 disclosure obligation to the FCA — surface it, do not store it.
See the parallel regimes — our EU AI Act Article 50 deployer countdown, the underlying FCA AI governance framework, and the ICO AI Code of Practice which already came into force on 12 May 2026.
Procurement red flags between now and 1 September
If your AI voice vendor is exhibiting any of the patterns below, the 77-day clock is not enough buffer. Initiate a vendor review now. Our build, orchestrate or buy decision framework for 2026 sets out the alternatives if a vendor change is required.
The first red flag is opaque audit logging. If the vendor cannot describe the field schema, the immutability mechanism, and the export SLA — and put each in the contract — the deployer cannot deliver artefact four. There is no architectural workaround.
The second is no firm-controlled disclosure path. If the vendor's disclosure language is hard-coded and cannot be edited by the firm without a release cycle, the firm fails clause one to four of the disclosure architecture. The vendor needs to expose the disclosure layer as configuration the regulated firm controls.
The third is non-UK data hosting without an adequacy answer. If call recordings and the audit log sit in US infrastructure with no documented adequacy or cross-border transfer mechanism, the firm has a UK GDPR exposure on top of the FCA one. The two regulators may issue parallel enforcement.
The fourth is vague training data terms. If the contract does not explicitly exclude the firm's customer data from general-model training, the firm has an Article 9 GDPR exposure and a Consumer Duty exposure (customers did not consent to that use).
The fifth is no escalation accountability. If the vendor cannot evidence the escalation matrix the firm needs — including the test cases for the vulnerability gate — operations cannot deliver artefact five and six. This is a frequent gap with voice AI orchestration platforms that sell as low-code but underbuild the escalation layer.
The sixth is vendor financial fragility. If the vendor's funding round is uncertain or its enterprise customer count is thin, the firm needs an exit plan. Senior Manager attestation under SC4 cannot rest on a vendor the firm cannot count on through 2027. Our voice AI vendor consolidation guide and the vendor procurement framework for 2026 cover the resilience questions.
If two or more of these red flags apply, the firm should run a parallel vendor evaluation — and may need to escalate procurement. Our enterprise vendor evaluation checklist is the cross-cluster reference.
Where this fits in the UK financial services AI architecture
The Code extension is one of six regulatory pieces an FS firm needs to think about between now and end of 2026. The full map:
- UK GDPR / PECR — the standing data and direct-marketing regime. The PECR consent architecture for AI outbound calling.
- ICO AI Code of Practice (in force 12 May 2026) — the data protection lens on automated decision-making in AI systems.
- FCA Code extension (1 September 2026) — this post.
- FCA Consumer Duty (in force since July 2023) — the cross-cutting outcomes lens, accelerated by the Code extension.
- EU AI Act Article 50(1) (2 August 2026) — the EU-customer-facing disclosure obligation, parallel to clause one.
- EU AI Act Article 50(2) (2 December 2026 under omnibus) — synthetic content marking, relevant for any AI-generated audio assets the firm publishes.
An FS firm with UK and EU customers needs evidence packs that reference all six. The pragmatic structure is one evidence pack with six regulatory cross-references — not six separate evidence packs. The regulated industries architecture guide we published on 11 June is the joined-up reference.
A note on the supervisory direction
The FCA's published commentary through 2026 makes clear the direction of travel. The Code extension is a tightening, not a relaxation. The FCA's Treasury Committee response earlier this year set out that AI-assisted decision-making in regulated communications is in scope of existing rules, and that the regulator's supervisory tools include enforcement for failures of Senior Manager conduct as much as for system failures themselves.
The practical read is this: a firm that walks into 1 September with the eight artefacts signed off, the six clauses live in production, and a monthly operating cadence is in a very different position from a firm that has not started. Enforcement risk, regulatory engagement workload, and the optionality the firm holds in any future supervisory conversation — all are determined by the evidence pack the firm built between now and 31 August.
Honest disclosure
DILR.AI builds enterprise voice AI for regulated UK industries — including FCA-supervised firms in lending, collections, and insurance. We sell the platform under our Dilr Voice product, the readiness work through the DATS five-stage methodology, and the ongoing governance through the execution office phase. We are not a neutral observer. Where we have been retained on FCA-relevant deployments, the eight-artefact evidence pack and the six-clause disclosure architecture above are the patterns we ship.
If you have a deployment in scope and 77 days is starting to look short, that is the conversation to have now, not in August.
Sign the attestation pack before the clock runs out.
30-min scoping call · No deck · Confidential. We'll tell you whether your FCA scope is buildable in 77 days — and where the highest-risk gap sits.
Written by the Dilr.ai engineering team — practitioners who ship enterprise voice AI in FCA-regulated UK firms. Follow us on LinkedIn for shipping notes, or subscribe via the RSS feed.