Man working on laptop

The Mills Review and financial crime: mind the autonomy gap

5 min read 1 July 2026 By Cat Morris, Partner, expert in Financial Crime Risk Management, and Kelly Letsiou, expert in Financial Crime Risk Management

The Mills Review for the FCA Board, sets out how AI could reshape retail financial services by 2030 and beyond. It maps that transformation across four system shifts: how firms operate, how consumers make decisions, how competition and market power are distributed, and how financial crime and cyber risk evolve.

Financial crime is the fourth of those shifts, and, we would argue, the one where the stakes compound fastest. The other three describe a market changing around consumers and firms. This one describes a capable adversary picking up the same technology at the same time, with none of the constraints a regulated firm operates under. It is less a question of "if AI reaches our controls" than of who reaches the frontier first.

The headline the Review gives you is familiar: AI makes fraud and cyberattacks faster, cheaper, more scalable and more persuasive, with deepfakes, synthetic identities and personalised social engineering already changing how attacks are run. That is true and worth saying. It is also not new information, and it is not where the action is.

The Review maps how financial crime control automation is moving along an “autonomy spectrum”. This starts with AI summarising a KYC file, then jointly building case files, leading alert triage, to investigating suspicious activity and drafting the SAR, to finally adapting detection strategies and pursuing investigations while humans “monitor for drift”.

The practical question for firms is therefore no longer simply:

Are we using AI?

It is:

How much decision-making authority are we giving AI within each financial crime control, and can our governance keep pace as that authority changes?

Firms should consider that progression for what it actually is: a description of your target operating model, whether or not you have consciously chosen it yet.

Here is the asymmetry that should focus minds. Criminals face no model risk committee, no SM&CR, no audit-trail requirement. They are already operating at the far end of that spectrum. Most financial crime functions are stuck at the near end: using AI to summarise and assist, while the governance to deploy it defensively at higher autonomy does not yet exist. The Review’s implicit message is that the gap between attacker autonomy and defender autonomy is now your primary financial crime risk.

None of this arrives as a new rule. The Review makes recommendations to the FCA, not to firms, and explicitly cautions against rushing to write rules. So, the honest framing is not “comply” - it is “get ahead while you still can”. Four things are worth starting now.

  1. Define an autonomy appetite for financial crime controls. Firms should decide how much authority AI may have within each material control.

    For screening, KYC, transaction monitoring, fraud detection, investigations and SAR processes, this means defining:

    • what AI may do independently;
    • what AI may recommend or prepare;
    • which decisions require human approval;
    • which activities must remain human-led; and
    • what evidence would be required before greater autonomy is permitted.
  2. Assume your attackers are agentic, and test accordingly. Pressure-test onboarding, authentication and fraud controls against AI-generated attacks (synthetic identities, deepfake liveness, personalised APP scams) not last year's typologies. If your fraud and financial crime teams still run as separate functions on separate data, the convergence the Review describes will find the seams.

  3. Extend model risk management to financial crime AI. The Review is blunt that these models drift: fraud patterns and customer behaviour change faster than periodic re-validation. Point-of-deployment testing is not enough. Move to continuous monitoring for degradation and outliers: this is where financial crime detection fails silently, producing clean dashboards over missed risk.

  4. Measure and reduce the threat-to-control cycle: Traditional financial crime metrics often focus on alert volumes, false positives, investigation time and reporting. The Mills Review points to another important measure: how quickly can a firm adapt its controls when criminals adopt a new AI-enabled technique?

    Firms should measure the time between:

    • identifying a new threat or typology;
    • assessing its relevance to the firm;
    • designing or modifying a control;
    • obtaining approval; and
    • deploying the change into production.

    This threat-to-control cycle should be treated as a financial crime risk metric.

Governance should enable faster defence, not slower decision-making.

All four actions depend on live assurance and clear accountability. The Mills Review is explicit that retaining a “human in the loop” is not enough. Firms need to define what the person is expected to review, what information they receive, when they must intervene, how challenge is recorded and how escalation operates. Testing must also continue after implementation so that deterioration, model drift and unexpected behaviour are detected in operation.

The answer to the attacker–defender autonomy gap is not to weaken governance or automate every financial crime decision.

It is to use governance more deliberately: set clear boundaries, detect when autonomy changes, shorten the time needed to adapt controls and connect the information required to see attacks across organisational boundaries.

The firms best positioned for the next phase will not necessarily be those with the most autonomous controls. They will be those that can adapt safely, accountably and at speed.

Contact our experts to discuss your approach.

Our Experts

Related Insights

Contact us

Find out what we can do for you...

Get in touch

Is digital and AI delivering what your business needs?

Digital and AI can solve your toughest challenges and elevate your business performance. But success isn’t always straightforward. Where can you unlock opportunity? And what does it take to set the foundation for lasting success?

Find out more