An AI chatbot development for UK financial services must navigate FCA COBS (Conduct of Business Sourcebook) requirements that prohibit AI from giving regulated financial advice - but permit AI to provide factual product information, answer account queries, route customers to the right team, and handle non-advised customer service. For FCA-authorised firms - wealth managers, insurance brokers, IFAs, banks, and lenders - a properly configured AI chatbot handles 50-65% of inbound customer queries without regulatory risk. Implementation costs £3,500-£10,000 with a 4-8 week deployment timeline. Softomate Solutions builds FCA-compliant AI chatbots for UK financial services firms, with COBS-aware conversation design included in every engagement.
Last updated: 18 May 2026
Published 18 May 2026The Financial Conduct Authority's Conduct of Business Sourcebook is the primary rulebook governing how regulated firms communicate with and serve retail and professional clients. For any FCA-authorised firm considering an AI chatbot, COBS sets the boundary between what automation can handle and what requires a qualified, regulated adviser.
COBS 2.1.1 requires firms to act honestly, fairly, and professionally in accordance with the best interests of their clients. This applies to every communication channel a firm operates - including an AI chatbot. A chatbot that misleads a customer about a product's risk level, omits a material fee, or steers a customer towards an unsuitable product breaches this rule regardless of whether the interaction was automated or human-delivered.
COBS 4 governs financial promotions and client communications. Any statement made by an AI chatbot that could constitute a financial promotion - that is, an invitation or inducement to engage in investment activity - must be fair, clear, and not misleading. This means chatbot scripts require legal review before deployment. Promotional language, superlatives, and cherry-picked comparisons are off-limits.
COBS 9 covers suitability: the requirement to assess whether a product or service is appropriate for a specific client based on their circumstances, knowledge, experience, and financial position. An AI chatbot cannot conduct a suitability assessment. It cannot ask the qualifying questions, weigh the answers, and produce a recommendation that meets COBS 9 standards. Any firm that attempts to automate a suitability recommendation faces enforcement risk.
COBS 19 covers retirement income advice - an area of particular FCA scrutiny following the pension freedoms introduced in 2015. Guidance on drawdown, annuity purchase, or defined benefit transfer is regulated advice. A chatbot that answers a pensioner's question about whether they should take a lump sum versus drawdown is not providing information - it is providing regulated advice without authorisation.
The table below clarifies where the line sits for AI chatbot functions in FCA-regulated firms.
| Function | AI Chatbot - Permitted | Requires FCA Regulated Adviser |
|---|---|---|
| Account balance and transaction history | Yes - read-only factual data | No |
| Factual product information (rates, fees, terms) | Yes - present published information | No |
| Policy document retrieval | Yes - authenticated document portal | No |
| Appointment booking with an adviser | Yes - diary integration | No |
| Generic financial education (what is an ISA?) | Yes - factual, non-personalised | No |
| Signposting regulated advice services | Yes - directing customer to the right team | No |
| New client onboarding questionnaire (data collection only) | Yes - collect and route, do not assess | No |
| Investment recommendation (which fund should I buy?) | No | Yes - COBS 9 suitability required |
| Pension drawdown versus annuity guidance | No | Yes - COBS 19 retirement advice |
| Mortgage suitability assessment | No | Yes - regulated mortgage advice |
| Defined benefit transfer recommendation | No | Yes - specialist DB transfer adviser |
| Insurance product recommendation based on personal circumstances | No | Yes - regulated insurance advice |
The principle is this: an AI chatbot can inform, direct, and serve - but it cannot advise. Any response that tells a specific customer what they should do with their money based on their individual circumstances crosses into regulated advice territory. Softomate's COBS-aware conversation design maps every chatbot decision path against these rules before a single line of dialogue goes live.
The FCA Consumer Duty came into force in July 2023 and represents the most significant shift in UK retail financial services regulation in a generation. It moves beyond rule-based compliance towards an outcomes-based framework: firms must demonstrate that customers are achieving good outcomes, not just that the firm followed a process.
The three cross-cutting rules under Consumer Duty are directly relevant to AI chatbot design. First, firms must act in good faith - meaning AI chatbot scripts cannot be designed to obscure fees, downplay risks, or steer customers towards products that serve the firm's interests over the customer's. Second, firms must avoid causing foreseeable harm - a chatbot that fails to escalate a distressed customer to a human, or that provides ambiguous information that causes a customer to make a poor financial decision, creates foreseeable harm the firm is responsible for. Third, firms must enable customers to pursue their financial objectives - the chatbot must genuinely help customers get what they need, not just deflect queries.
The four consumer outcomes under Consumer Duty - products and services, price and value, consumer understanding, and consumer support - each have implications for AI chatbot deployment. Consumer support, in particular, requires that customers receive the support they need when they need it. A chatbot that answers only a narrow set of scripted queries and cannot escalate appropriately fails this outcome.
FCA guidance published alongside Consumer Duty (including PS23/16 and subsequent AI-related consultations in 2024 and 2025) has addressed automated customer service directly. The FCA expects firms to be able to demonstrate that automated channels achieve the same consumer outcomes as human channels. A chatbot deployed to reduce costs but configured in a way that leaves customers worse off than a phone call would fails the duty.
Consumer Duty compliance checklist for AI chatbot deployment:
Consumer Duty is not a one-time compliance exercise. Firms must monitor outcomes continuously, which means logging AI chatbot interactions and reviewing them for quality and outcome signals. Softomate's chatbot implementations include a logging and monitoring layer that supports this ongoing Consumer Duty obligation.
The compliance framework tells you what is off-limits. The table below shows what is within scope for each common firm type, and what must remain with a human adviser. These categories represent the queries that UK financial services AI chatbots handle successfully today - based on Softomate's deployment experience across regulated firms.
| Firm Type | AI Chatbot Can Handle | Must Go to Human Adviser |
|---|---|---|
| Wealth Manager | Account balance and portfolio valuation (read-only), appointment booking with relationship manager, document request (valuations, statements, tax certificates), annual review reminder and scheduling, generic investment education (what is a SIPP?) | Portfolio rebalancing recommendation, new investment selection, suitability review, tax advice, drawdown strategy |
| Insurance Broker | Policy renewal reminders and payment processing, claims first notification of loss (FNOL) - initial data capture only, policy document retrieval, premium payment queries, coverage definition queries (factual - what does my policy cover?), mid-term adjustment requests routed to handler | Coverage recommendation for new risk, claims assessment and settlement negotiation, advice on whether to claim versus self-insure |
| IFA Firm | Appointment booking and confirmation, document portal access, annual review reminder, new client onboarding questionnaire (data collection, not assessment), general financial planning education, signposting to Money Helper for generic guidance | Any suitability-based recommendation, pension transfer analysis, investment strategy, protection needs review, tax planning |
| Retail Bank / Lender | Account balance and statement requests, transaction history and dispute initiation, mortgage rate queries (published factual rates only), lost or stolen card reporting and temporary freeze, branch and ATM finder, payment reference queries, direct debit management | Mortgage suitability assessment and recommendation, overdraft strategy advice, debt restructuring, savings strategy based on individual circumstances |
| Credit Union | Loan application status (factual update), share account balance, dividend payment dates, member portal access, payment processing queries, general product information | Loan eligibility assessment, advice on whether a loan is appropriate for the member's situation |
A well-scoped AI chatbot in a wealth management firm handles 40-55% of inbound queries - primarily the high-volume, low-complexity requests that consume adviser and administrator time without generating revenue. In insurance, FNOL capture automation typically removes 20-30 minutes of manual data collection from each claim, with immediate routing to the correct claims handler. In retail banking, account servicing queries (balance, transactions, card queries) represent 60-70% of inbound contact volume - the vast majority of which can be handled without human intervention.
The key design principle is scope discipline. A chatbot that attempts to handle everything and fails on regulated queries creates more compliance risk than one that handles 40% of queries perfectly and escalates the rest cleanly. Softomate's scoping process begins with a query audit - mapping a firm's actual inbound query volume by type - before any conversation design begins.
FCA Guidance FG21/1, published in February 2021, sets out the FCA's expectations for how firms identify and treat vulnerable customers. A vulnerable customer is defined as someone who, due to their personal circumstances, is especially susceptible to harm - particularly when a firm does not act with appropriate levels of care. Financial services firms have a regulatory obligation to identify potential vulnerability and respond appropriately.
Four vulnerability drivers are identified in FG21/1: health (physical or mental conditions that affect ability to manage financial affairs), life events (bereavement, relationship breakdown, job loss, carer responsibilities), resilience (low financial resilience or emotional resilience to cope with financial shocks), and capability (low financial literacy or digital skills). An AI chatbot interacting with thousands of customers will encounter all four.
Vulnerability detection in AI chatbots works through a combination of language signal analysis, interaction pattern recognition, and contextual flags. Language signals include direct statements of distress or difficulty, mentions of bereavement or illness, expressions of confusion after multiple clarifying attempts, and requests to speak with a human after the chatbot's response. Interaction patterns that flag vulnerability include the same query repeated multiple times in a session, contact outside normal hours combined with distress language, and abandonment after a payment-related query.
When a vulnerability signal is detected, the chatbot's escalation protocol must activate immediately. The FCA expects this escalation to be immediate, warm (not a cold transfer to a queue), and documented. The customer should be transferred to a human with the conversation context pre-loaded - not required to repeat their situation. The human handler should be briefed that a vulnerability flag has been triggered.
Documentation is a regulatory requirement, not an optional extra. Every customer interaction that triggers a vulnerability flag must be logged with the trigger type, the customer's query, and the escalation action taken. This log must be available for FCA inspection. For MiFID II-regulated investment firms, this log forms part of the mandatory record-keeping requirement under SYSC 9.
Softomate builds vulnerability detection and escalation logic into every financial services chatbot. The trigger phrases and patterns are reviewed by compliance professionals before deployment and updated quarterly based on new FCA guidance. This is not a feature add-on - it is a baseline requirement for any FCA-regulated firm deploying AI customer service.
AI chatbots in UK financial services operate at the intersection of two regulatory frameworks: the UK General Data Protection Regulation (UK GDPR) administered by the Information Commissioner's Office (ICO), and FCA record-keeping requirements primarily set out in SYSC 9 and specific COBS provisions. Both apply simultaneously, and neither takes precedence over the other.
Under UK GDPR, customer conversations with an AI chatbot are personal data. The lawful basis for processing this data must be established before the chatbot goes live - typically legitimate interests (servicing an existing customer relationship) or contract performance. The privacy notice must be updated to include AI chatbot interaction data, the purposes for which it is processed, and the retention period. For financial services firms, this is typically already covered under existing client data processing notices, but the specific reference to AI-processed conversation data should be explicit.
FCA SYSC 9.1 requires firms to retain records of all services and transactions. For a chatbot handling account queries, document requests, and appointment bookings, every conversation log is a relevant business record. The standard retention period for most COBS-relevant conversations is five years from the date of the interaction. For pension-related interactions, the retention period extends to the later of five years or the end of the client relationship. For MiFID II-regulated investment firms, the minimum is five years with an extension to seven years if the regulator requests it during that window.
Data residency is a material consideration for regulated financial services firms. UK GDPR requires that personal data transferred outside the UK is subject to adequate protections - the standard international data transfer agreement (IDTA) or equivalent. Many UK financial services firms, particularly those with professional indemnity insurance conditions or FCA authorisation conditions, require that client data remains within the UK or European Economic Area. Any AI chatbot platform that routes data through US-based servers requires explicit contractual protections and, in some cases, client disclosure.
The customer's right of access under UK GDPR applies to chatbot conversation transcripts. A Subject Access Request (SAR) from a customer can include their chatbot conversation history. Firms must be able to retrieve, review, and provide this data within the statutory one-month window. AI chatbot platforms that do not retain searchable conversation logs by customer identity create a SAR compliance problem. Softomate configures all financial services chatbot deployments with structured conversation logging linked to customer identity, with a retrieval process documented as part of the firm's SAR procedure.
Softomate Solutions builds AI chatbots for FCA-regulated financial services firms from a compliance-first starting point. Every engagement includes a structured scoping process, COBS-aware conversation design, Consumer Duty alignment, vulnerable customer logic, and a post-launch compliance review. The deliverable is not a generic chatbot with a financial services skin - it is a purpose-built, regulation-aware customer service layer designed for the specific firm type and the regulatory obligations it carries.
The engagement covers the following in every financial services chatbot project:
Investment in a Softomate COBS-compliant AI chatbot runs from £3,500 for a single-channel, narrowly scoped deployment (for example, an IFA firm's appointment booking and document retrieval chatbot) to £10,000 for a multi-channel, multi-function deployment across a wealth management or insurance business. Deployment timeline is 4-8 weeks from scoping sign-off to go-live, including internal compliance review and FCA disclosure finalisation.
Financial services firms that have deployed Softomate AI chatbots report handling 50-65% of inbound customer service queries through the automated channel within 90 days of go-live, with no regulatory complaints attributable to the chatbot in any deployment to date. The compliance framework is not a constraint on the chatbot's usefulness - it is the foundation that makes it safe to deploy at all.
No. Mortgage advice in the UK is regulated activity under the Financial Services and Markets Act 2000. An AI chatbot can provide factual information about a lender's published mortgage products, rates, and eligibility criteria, and can direct a customer to a regulated mortgage adviser. It cannot assess a customer's circumstances and recommend a specific mortgage product - that is regulated advice requiring a qualified, FCA-authorised adviser.
The chatbot as a technology tool does not require FCA authorisation. The firm deploying it does - and if the firm is already FCA-authorised, the chatbot operates under that authorisation. However, the firm remains fully responsible for ensuring the chatbot operates within its regulatory permissions. A chatbot that causes the firm to provide unregulated advice creates an enforcement risk for the firm, not the technology provider. Softomate's compliance design is intended to ensure the chatbot stays within the firm's existing permissions.
Every conversation between a customer and an AI chatbot is personal data under UK GDPR. The firm must establish a lawful basis for processing it, update its privacy notice to reference chatbot interaction data, configure data retention in line with FCA record-keeping requirements (typically five years), and be able to respond to Subject Access Requests for chatbot conversation transcripts within one month. Data residency - keeping customer data within the UK or EEA - is a standard requirement for most regulated firms.
A narrowly scoped AI chatbot for a small IFA firm - covering appointment booking, document portal access, annual review reminders, and new client onboarding data collection - typically costs £3,500-£5,000, with a 4-6 week deployment timeline. This includes COBS compliance mapping, Consumer Duty review, vulnerable customer escalation logic, FCA disclosure wording, and a 30-day post-launch review. There are no per-query charges - the cost is a fixed implementation fee.
The FCA Consumer Duty (effective July 2023) requires firms to demonstrate good consumer outcomes across all channels, including AI customer service. A chatbot must act in good faith (no misleading framing), avoid foreseeable harm (escalate distressed or confused customers), and enable customers to pursue their financial objectives (resolve queries or route to the right person). Firms must log outcome indicators from chatbot interactions and be able to demonstrate Consumer Duty compliance in the event of an FCA review or supervisory request.
Yes - with the right configuration. Softomate builds vulnerability detection logic into every financial services chatbot using language pattern analysis, interaction pattern recognition, and contextual flags aligned with FCA FG21/1. When a vulnerability signal is detected, the chatbot immediately escalates to a human with the conversation context pre-loaded. Every triggered escalation is logged for FCA record-keeping purposes. This is not optional in a regulated firm - the FCA expects firms to identify and respond to vulnerability across all customer contact channels.
Well-configured AI chatbots handle 65-80% of UK website enquiries without human intervention. The remaining 20-35% are escalated to human agents due to: complexity beyond the chatbot's training data (typically 15%), explicit requests to speak with a person (typically 10%), and technical failures (typically 5%). UK businesses in sectors with highly standardised enquiries (dental appointment booking, trade quote requests, property viewing scheduling) achieve automation rates above 80%. Complex B2B sales queries and regulated advice requests (legal, financial, medical) are designed to escalate directly to humans.
The FCA's regulatory framework does not prevent AI chatbots from delivering real value in UK financial services - it defines the boundaries within which that value can be delivered safely. Firms that invest in COBS-aware conversation design, Consumer Duty alignment, and vulnerable customer escalation can automate 50-65% of inbound customer service volume without regulatory risk. The remaining queries are handled better by a human precisely because the chatbot's scope discipline routes them correctly. That is the model Softomate builds for every FCA-regulated client.
Build a chatbot that serves customers and satisfies the FCA. Explore Softomate's AI Chatbot for Financial Services or book a free compliance consultation.
Written by Rakesh Patel, AI Automation Consultant at Softomate Solutions, Barking, East London.More from the blog
Let us help
Talk to our London-based team about how we can build the AI software, automation, or bespoke development tailored to your needs.
Softomate Solutions Limited
Deen Dayal Yadav
Online
