Back to resources
Comparison guide

ICO AI Auditing Framework vs FCA guidance: a practitioner comparison

How the ICO's AI Auditing Framework and the FCA's expectations for AI in financial services differ in scope, evidence expectations and operational implementation — with a practical mapping for teams governed by both.

10 June 2026AgentAudit Policy18 pp

"Download PDF" opens your browser's print dialog — choose Save as PDF as the destination.

Why compare the two frameworks

UK regulated firms deploying AI agents in customer-facing journeys sit under two supervisory regimes at once. The ICO's AI Auditing Framework sets the expectations for lawful, fair and accountable processing of personal data by AI systems under UK GDPR. The FCA's guidance on AI, layered over Consumer Duty, SYSC and operational-resilience rules, sets the expectations for conduct, fair customer outcomes and firm-level risk management.

In practice, most firms treat these as two workstreams inside two different departments — DPO on one side, compliance and risk on the other. That is operationally expensive and creates evidence duplication. This paper maps the two frameworks against each other and proposes a single control set that satisfies both.

Accountability and governance expectations

Both frameworks converge on the same accountability principle: a named senior individual must be answerable for the AI system, and there must be a documented governance structure sitting above it. The ICO expresses this through the accountability principle of UK GDPR and the DPIA obligation. The FCA expresses it through the Senior Managers and Certification Regime and the Consumer Duty's board-attestation requirement.

Operationally, this means the same governance artefact — a named owner, a risk classification, a documented control set and a board-level reporting line — satisfies both regimes. Firms that maintain two separate governance registers are duplicating work.

Data protection vs conduct-of-business overlap

The ICO framework's focus is on the lawfulness of processing, the fairness of automated decisions, the rights of data subjects and the security of the processing environment. The FCA's focus is on the fair treatment of customers, the accuracy and appropriateness of advice, and the operational resilience of the firm.

These overlap on three specific points. First, both regimes require that automated decisions affecting customers can be explained. Second, both require that customers can obtain human review. Third, both require evidence that the firm has tested the system for bias, error and drift before and during production use.

  • Explainability — required by both, evidenced by decision-rationale capture
  • Human review pathway — required by both, evidenced by escalation workflow logs
  • Pre-deployment and in-life testing — required by both, evidenced by evaluation harness runs

Evidence expectations side-by-side

The ICO framework expects: a DPIA, a lawful-basis assessment, a fairness assessment, a security assessment, a subject-rights procedure, and evidence of ongoing monitoring for accuracy and bias. The FCA expects: a product governance assessment, a target-market analysis, a foreseeable-harm assessment, a fair-value assessment, and evidence of ongoing outcome monitoring.

The overlap is substantial. The fairness assessment (ICO) and the foreseeable-harm assessment (FCA) can be authored as a single document with two labelled sections. The ongoing accuracy and bias monitoring (ICO) and the ongoing outcome monitoring (FCA) are satisfied by the same telemetry pipeline: capture behavioural metrics, alert on drift, report to second line quarterly.

Operational implementation differences

Where the frameworks diverge is in the granularity of the evidence they expect. The ICO wants to see specific data-flow diagrams, retention schedules and processor contracts. The FCA wants to see specific outcome metrics per customer cohort, product-value assessments and management-information packs.

The two evidence sets are complementary, not conflicting. A well-designed governance platform captures both from the same underlying primitives — the audit trail feeds both the DPIA evidence log and the Consumer Duty MI pack.

A unified control mapping for firms governed by both

The practical recommendation for FCA-authorised firms is to design the control set once, against the union of both frameworks, and produce two output views for the two supervisors. This avoids the classic failure mode of a firm having ICO-facing controls and FCA-facing controls that drift out of alignment.

AgentAudit's sector overlay for financial services implements exactly this mapping — the same underlying evaluation, telemetry and audit trail produce the DPIA-aligned view for the DPO and the Consumer Duty-aligned view for the CCO.

What a second-line reviewer should look for

A second-line reviewer inspecting an AI agent that sits under both regimes should ask five questions. Who owns this agent, and are they answerable under both regimes? Where is the DPIA, and does its fairness assessment match the FCA foreseeable-harm assessment? Is the ongoing monitoring one pipeline or two, and if two, when did they last agree? What is the human-review pathway, and has it been tested in the last quarter? Is there a single decision-rationale record that would satisfy both an ICO audit and an FCA s.166?

If the answer to any of these is unclear, the firm's governance is duplicated, drifting, or both.

Takeaway

Firms subject to both the ICO AI Auditing Framework and the FCA's AI guidance should design a single control set against the union of both regimes. The evidence overlap is substantial; the operational cost of running two parallel workstreams is not justified.

Want the full methodology library?

Subscribe to the practitioner briefing — quarterly methodology updates and regulator commentary.