The UK's Financial Conduct Authority published the Mills Review on July 6, a report authored by executive director Sheldon Mills that argues the regulator needs sweeping new powers to keep pace with how quickly AI is being embedded into banking, trading, credit and fraud systems. The review's central framing is blunt: the FCA is currently in an "arms race" it is not equipped to win under its existing supervisory toolkit.
The report's seven priority recommendations include an immediate three-to-six-month review of general-purpose large language models that currently operate outside the FCA's regulatory perimeter entirely -- an acknowledgment that foundation models built by labs with no financial-services license are already shaping decisions inside regulated firms without any direct oversight of the models themselves.
More striking is the review's push to expand the UK's existing "critical third parties" regime, originally built to supervise cloud and IT vendors that regulated firms depend on, to explicitly cover major AI providers -- naming OpenAI, Anthropic, Amazon, Google and Microsoft directly. That would mark one of the first times a financial regulator has proposed direct supervisory reach over frontier AI labs themselves, rather than only the banks that use their models.
The review also calls for the FCA to modernize its own supervisory method, moving from periodic human review cycles to automated, real-time tools capable of observing market patterns and cross-firm dependencies as they happen -- an implicit admission that traditional model-risk frameworks built for slower-moving legacy software cannot keep up with AI systems that can be retrained and redeployed in days.
The timing places the Mills Review alongside a cluster of other AI-oversight moves landing the same week: the UN's Global Dialogue on AI Governance opening in Geneva, the EU AI Act's Article 50 watermarking obligations taking effect August 2, and the US's own voluntary frontier-model review framework finalized in June. Together they suggest 2026 is the year AI governance shifts from scattered statements of concern to actual proposed enforcement mechanisms across multiple major jurisdictions simultaneously.
For fintech and regtech investors, a regulator naming its own capability gap this explicitly, and naming the five specific AI providers it wants new authority over, is about as clear a market signal as this sector gets: demand for AI-governance, model-risk-monitoring and real-time compliance tooling built specifically for financial services is likely to accelerate well ahead of any final rulemaking.
The bear case: review recommendations are not law, and expanding the critical-third-parties regime to cover OpenAI, Anthropic and the major clouds would likely face significant industry pushback and years of consultation before taking effect, following the same slow path UK financial regulation has historically taken with new technology oversight.
What to watch: whether the FCA formally launches its three-to-six-month LLM review on the recommended timeline, how OpenAI, Anthropic and the major clouds respond publicly to being named as potential critical-third-party targets, and whether other national regulators reference the Mills Review as a template for their own AI-oversight expansion.