Voice AI for FCA-regulated contact centres: a Consumer Duty compliance checklist

The four veto questions before any capability scoring

FCA-regulated firms routinely score voice AI vendors on capability — containment rate, latency, integration depth — and only address compliance once a preferred vendor is chosen. By that point the firm has spent six figures on procurement and discovers the platform cannot evidence vulnerable customer handling to a complaint handler's standard. The deal collapses or, worse, ships with risk that surfaces in a Section 166.

Reorder the evaluation. Run these four veto questions before any vendor demo. A vendor that fails any of them is out of the process, no matter how strong the headline metrics.

1. Can the platform detect and route vulnerable customers in line with FG21/1, and produce the evidence trail a complaint handler needs?
2. Are calls recorded, retained for five years, and retrievable to SYSC 10A standards — including for calls the AI handled end-to-end without escalation?
3. Is the model's decision logic explainable in plain English to a complaint handler reviewing a DISP file twelve months later?
4. Is there a named Senior Manager Function holder accountable for outcomes, and is the deployment recorded in the firm's Statement of Responsibilities?

Consumer Duty (PRIN 2A) on AI-handled calls

Consumer Duty applies on outcome, not on channel. The four outcomes — products and services, price and value, consumer understanding, and consumer support — are tested against the customer's experience, regardless of whether a human or a voice AI delivered the service.

Two outcomes carry the highest risk in voice AI deployments. Consumer understanding requires that the customer can act on the information they receive — a voice AI that uses jargon, speaks too quickly, or fails to confirm understanding fails this outcome. Consumer support requires that customers can access support that meets their needs — a voice AI that loops a vulnerable customer through three failed intents before transferring fails this outcome even if the eventual human resolved it.

Evidence is the FCA's currency. The deployment must log, per call, the outcome the AI delivered, any signals of harm or vulnerability detected, and the action taken in response. A platform that cannot export that data set is not Consumer Duty-ready.

SYSC 10A: call recording, retention, and the AI-only call

SYSC 10A requires firms to record telephone conversations and electronic communications relating to in-scope activities and to retain them for at least five years (seven for MiFID II business, with the option to extend to seven years for the Senior Manager regime). The rule was written for human-handled calls and is silent on AI-only calls — which is precisely where most firms get this wrong.

The FCA's position, confirmed in supervisory letters, is that an AI-handled call that would have been recorded if a human took it must be recorded if the AI takes it. A platform that retains a transcript or a model-generated summary but not the underlying audio is not compliant for SYSC 10A purposes. The audio is the record.

Two operational consequences follow. First, the platform must write audio to a retention store the firm controls, not a vendor-managed bucket the firm cannot subpoena. Second, the retrieval workflow must work for AI-only calls the same way it works for agent-handled calls — a Subject Access Request that returns audio for the human-handled half of a session but only a transcript for the AI-handled half is a finding.

UK GDPR, the ICO, and automated decision-making

Three UK GDPR provisions bite hardest on voice AI deployments. Article 6 (lawful basis) is usually straightforward — legitimate interest or contract performance covers most contact-centre handling. Article 9 (special category data) becomes live the moment the AI handles a health, financial-vulnerability, or biometric voice-print signal; the firm needs an Article 9 condition and an appropriate policy document.

Article 22 (automated decision-making) is the one most firms misread. It applies only where the decision produces legal effects or similarly significantly affects the customer. A voice AI that routes a call or schedules a callback does not trigger Article 22. A voice AI that approves or declines a loan top-up, accepts or rejects a claim, or applies a fee waiver does. For Article 22 use cases, the customer has a right to human review, the firm must explain the logic involved, and a DPIA is mandatory.

The ICO's 2023–2024 guidance on AI and data protection sets a higher bar than many vendors assume. Expect to evidence: a DPIA covering the model and its training data; a record of testing for bias and accessibility; a written policy on how the firm explains AI decisions to customers; and a route for the customer to contest a decision and reach a human.

SM&CR: who is accountable when the AI gets it wrong

Under the Senior Managers and Certification Regime, every prescribed responsibility must sit with a named Senior Manager Function holder. A voice AI deployment touches at least three: SMF3 (executive director) or SMF1 (CEO) at the strategic level, SMF16 (compliance oversight) for the regulatory framing, and SMF17 (MLRO) where the AI handles transactional flows that could touch financial crime. SMF24 (chief operations) is where most firms land day-to-day accountability.

The deployment paperwork must name the SMF holder accountable for outcomes and reference the deployment in their Statement of Responsibilities. A vendor cannot accept this accountability — it stays with the firm. The vendor's contract should, however, give the named SMF the access and information they need to discharge it: real-time outcome data, transcripts, audio, and an escalation path for incidents.

Vulnerable customer detection: the most-failed gate

FG21/1 sets out the FCA's expectations on the fair treatment of vulnerable customers. The expectation is not that the firm prevents harm in every case — it is that the firm can evidence it identified vulnerability signals, made a proportionate decision, and routed the customer appropriately.

Voice AI platforms fall into three tiers on this. Tier 1 platforms detect no vulnerability signals and have no logging of routing decisions; they are not deployable in an FCA-regulated contact centre without a wrapper that adds these capabilities. Tier 2 platforms detect a limited signal set (typically explicit phrases like "struggling" or "can't pay") and route on a hard rule; they are deployable but the firm must own the rule logic and document it. Tier 3 platforms detect a broader signal set (prosody, hesitation, repeat-contact within a short window, drivers of vulnerability under FG21/1's four categories) and produce per-call evidence; these are the only platforms that can be deployed without a compensating control.

The veto question is not whether the platform claims to detect vulnerability — every vendor claims this. The veto question is whether, given a customer who later complained about being mis-handled while vulnerable, the platform can produce the signals it saw, the decision it made, and the route it took. If the answer requires the vendor to query their own logs and email a PDF, the firm is not in control of its own evidence.

What to add to your voice AI RFP

Bake the regulatory questions into the RFP at the same weight as capability. Vendors who cannot answer these in writing should not progress past first round.

• Provide a worked example of how a vulnerable customer signal is detected, logged, and routed. Include the data fields exported per call.
• Confirm where call audio is stored, who controls the retention store, and how the firm retrieves audio for a SAR within statutory deadlines.
• Provide your DPIA template covering model training data, bias testing, and accessibility testing.
• Confirm whether any deployed flow falls within UK GDPR Article 22, and provide the human-review workflow if so.
• Confirm the platform can produce, per call, the data set a complaint handler needs: transcript, audio, intent classification, vulnerability signals, decision logic, and routing decision.
• Provide the contractual access and information rights the named SMF holder will have, including incident-notification SLAs.
• Confirm SOC 2 Type II, ISO 27001, and Cyber Essentials Plus where applicable. The FCA expects evidence, not assertions.