Skip to main content

AI governance and compliance training for UK regulated firms

One workshop covering the cross-regulator governance bar, for firms sitting across SRA, ICAEW, FCA, ICO, RICS, CII, and CIPD axes

Half-day session for 6 to 12 General Counsel, Heads of Compliance, Data Protection Officers, and partnership-level leaders. Covers the recurring governance questions that sit above any single regulator: vendor due diligence and sub-processor mapping, DPIA and UK GDPR Article 35 triggers, human-in-the-loop design by regulator type, audit trail and retention, and cross-regulator redress across the FOS, the Legal Ombudsman, and the ICO. Delivered by UK-based, vendor-neutral facilitators through The AI Consultancy (London) Ltd.

Enquire about the briefingTake the AI Readiness Assessment
  • For UK regulated firms with 20 to 500 employees
  • Vendor-neutral, no reseller commissions
  • A trading style of The AI Consultancy (London) Ltd
Cross-functional governance leadership team reviewing a shared regulatory posture in a London professional services office.

What a half-day briefing looks like

Six working blocks over roughly four hours, including breaks. Agenda is adapted to your regulatory axes in scope before the session, not on the day.

Diagram mapping the UK regulators covered by the cross-regulator governance briefing: SRA, ICAEW, FCA, PRA, ICO, RICS, CII, and CIPD, with the recurring governance touchpoints (vendor posture, DPIA, human-in-the-loop, audit trail, redress) linked to each.

  1. Block 1

    Vendor due diligence and sub-processor mapping

    Walk through the firm's current AI vendor list, the sub-processor chain per vendor, the data-processing locations, and the contractual posture on training and retention. Produce a per-vendor assessment note that works across SRA, ICAEW, FCA, ICO, RICS, CII, and CIPD axes. The output is a single instrument the firm can rely on whichever regulator asks first.

  2. Block 2

    DPIA and Article 35 trigger analysis

    Run the firm's AI estate against the UK GDPR Article 35 triggers (automated decision-making with legal effect, large-scale special-category processing, systematic monitoring, dataset combination). Produce a short DPIA decision log per in-scope processing activity and agree the sign-off route under the firm's data protection framework. The output is an Article 35 register the ICO recognises.

  3. Block 3

    Human-in-the-loop design by regulator type

    Different regulators expect the human review point to sit in different places. The SRA expects the fee-earner on the matter file; ICAEW expects the named accountant; the FCA expects the SMF holding the Statement of Responsibility; the ICO expects a meaningful human review at automated decision points. The session maps the firm's current AI-influenced workflows against each of those expectations and flags where the review point is absent.

  4. Block 4

    Audit trail, retention, and reconstructible decision paths

    Work through the firm's evidential posture: where an AI-influenced decision can be reconstructed for a specific client or customer, where the retention rules are documented per tool, and where the audit trail would survive a cross-regulator examination. The output is a finding list the firm's General Counsel and Data Protection Officer can take to the Audit Committee.

  5. Block 5

    Redress and complaint handling across FOS, Legal Ombudsman, and ICO

    Firms sitting across multiple regulatory axes carry multiple redress exposures: the Financial Ombudsman Service for FCA-authorised conduct, the Legal Ombudsman for solicitor-regulated work, the ICO for data-protection complaints, and professional-body complaint schemes for each chartered axis. The session walks through how the firm would explain an AI-influenced decision in each forum and where the current governance stack leaves a gap.

  6. Block 6

    Next steps and ownership

    Close the session with named owners, decision dates, and a one-page summary that goes into the written briefing note. The written output is a cross-regulator governance finding list the firm can circulate to the General Counsel, Head of Compliance, Data Protection Officer, and partnership leadership. No open action items leave the room unassigned.

What you leave the room with

Five outcomes, in the language a General Counsel, Head of Compliance, or Data Protection Officer would use when briefing the Managing Partner or the board the next morning.

  • A single vendor posture that works across every regulator we touch

    We have one per-vendor assessment note that covers the SRA, ICAEW, FCA, ICO, RICS, CII, and CIPD axes in scope for the firm, so we are not re-doing the assessment every time a different regulator asks.

  • An Article 35 DPIA register the ICO recognises

    Every AI tool in production has a documented DPIA decision: either a completed DPIA with sign-off, or a recorded reasoning for why one is not required. The register is live and dated.

  • A named human review point per AI-influenced workflow

    For every workflow where AI influences a decision a regulator could test, we have a named human reviewer and a reasoned override pathway that matches the regulator's expectation on who should hold the review.

  • A cross-regulator redress explanation pathway

    For every AI-influenced decision that could end up in front of the FOS, the Legal Ombudsman, the ICO, or a professional-body complaint scheme, we have a reconstructible decision path and a plain-English narrative we could walk the forum through.

  • A governance finding list, not a strategy deck

    We leave with a short list of things to fix, each with a named owner and a decision date. The written summary lands in the inbox by the end of the week.

AI governance for regulated firms: pricing

A single price range with a transparent inclusion and exclusion list. The fee covers the work described below. There are no separate retainers, onboarding fees, or add-ons applied after booking.

Per session, half-day, 6 to 12 leaders

£2,500 to £4,500

Price depends on delivery format (in-person or virtual), travel if any, and whether the agenda needs tailoring beyond the standard pre-briefing call. A specific figure is confirmed in writing before booking.

Enquire about the briefingTake the AI Readiness Assessment

What is included

  • Half-day live session (roughly four hours, including breaks) for 6 to 12 General Counsel, Heads of Compliance, Data Protection Officers, and partnership-level leaders
  • Pre-briefing call to map the firm's regulatory axes in scope and shape the agenda
  • Cross-regulator governance preparatory note, circulated before the session
  • Written briefing summary and a governance finding list the firm can circulate to the compliance, legal, and data protection functions
  • Thirty-minute follow-up call at no additional cost in the four weeks after the session

What is not included

  • Implementation, procurement, or configuration of specific AI tooling, model-risk platforms, or data protection software
  • Formal legal or regulatory advice on a specific matter, supervisory enquiry, or complaint (refer to the firm's General Counsel or external solicitor)
  • A DPIA, a Consumer Duty monitoring report, or an ICO notification on the firm's behalf (we produce the finding list; the firm signs the filings)
  • 90-day enablement or bespoke programmes (priced separately)

Questions a General Counsel asks before booking the briefing

Eight questions we hear most often on the AI governance for regulated firms briefing specifically. Straight answers, no regulatory claim we cannot defend.

Who is the AI governance for regulated firms briefing for?

Firms that sit across multiple regulatory axes at once. Typical audiences include General Counsel, Heads of Compliance, Data Protection Officers, Managing Partners, and Chief Risk Officers at UK firms spanning SRA-regulated legal work, ICAEW-regulated accountancy, FCA-authorised financial services, ICO-supervised data protection, RICS-regulated property and surveying, CII-regulated insurance, and CIPD-linked HR. The briefing is the cross-regulator counterpart to the Legal, Finance, Consulting, HR, Marketing, Financial Services, and Property sector workshops. It is run when the firm needs one instrument that covers the governance bar applicable across multiple regulators rather than a single sector-specific deep-dive.

How does this briefing relate to the sector-specific Learn AI workshops?

The sector workshops (Secure AI for Fee-Earners for law firms, AI for Finance Teams, AI for Consulting Teams, Responsible AI in Hiring, Marketing AI Lab, AI for FCA-regulated firms, AI for compliant estate agency) go deep on one regulator's rulebook. This horizontal briefing sits above them and addresses the governance questions that recur across every sector: vendor posture, DPIA triggers, human-in-the-loop design, audit trail, and cross-regulator redress. Firms that already run the sector workshops use this briefing to join the governance conclusions into one instrument the partnership can point to. Firms that have not yet run a sector workshop use it as the starting point before running the sector-specific one.

What does this briefing not cover?

It does not attempt to reproduce the deep-dive governance content of each sector workshop. The Consumer Duty lens for FS is covered in AI for FCA-regulated firms; the Equality Act adverse-impact testing is covered in Responsible AI in Hiring; the SRA Principle 7 competence framing is covered in Secure AI for Fee-Earners. The horizontal briefing references those lenses without repeating them. It also does not cover any single regulator's rulebook changes since the previous briefing cycle; regulatory-change briefings are a separate scoped engagement.

Are you vendor-neutral, and how do we verify that?

Yes. Learn AI takes no reseller commissions and carries no platform lock-in. The delivery bench is trained across Microsoft Copilot, Google Gemini Workspace, Anthropic Claude, and OpenAI ChatGPT, and across the main enterprise AI governance, model-risk, and data protection platforms. We are happy to put the commercial position in writing before booking.

What regulatory claim does the briefing make, and what does it not claim?

We describe the SRA Principles, the SRA Code of Conduct, the ICAEW Code of Ethics, the FCA April 2024 AI Update and principles-based approach, the Consumer Duty (FCA Principle 12), the Senior Managers and Certification Regime, the FCA Financial Ombudsman Service framework under FSMA Part XVI, the ICO's guidance on AI and data protection and UK GDPR Article 22 on automated decision-making, the RICS Rules of Conduct 2022, the CII Code of Ethics, and the CIPD Profession Map and Code of Professional Conduct. We do not claim accreditation, endorsement, or approved-provider status from the SRA, the Law Society, ICAEW, the FCA, the PRA, the ICO, RICS, ARLA Propertymark, the CII, the Personal Finance Society, the CIPD, or any other professional body unless that body has confirmed alignment to us in writing. Any copy that would bind the firm, or a position on a specific matter or supervisory enquiry, should be reviewed by the firm's General Counsel, Head of Compliance, or external solicitor.

How is the session delivered, and who delivers it?

In-person or virtual, by arrangement. The session runs for roughly four hours including breaks and works best with 6 to 12 attendees. Delivery is by a facilitator from the Learn AI delivery bench with experience in UK regulated firm contexts. Either a senior associate from The AI Consultancy (London) Ltd or a certified partner trained against the same agenda. We confirm the named facilitator in writing before booking.

What happens after the briefing?

The session concludes with a written summary and a cross-regulator governance finding list, typically sent within five working days. A thirty-minute follow-up call is offered at no additional cost in the four weeks after the session. Where the firm decides to take the findings into a named workflow (vendor governance, DPIA rollout, audit-trail build-out, cross-regulator redress pathway), the 90-Day Enablement programme is the natural follow-on.

When should we escalate into the 90-Day Enablement Subscription?

When the briefing finding list has more than six to eight items or the firm needs a named team trained across the same governance bar over a full quarter. The 90-Day Enablement programme covers a kickoff workshop, bi-weekly office hours, a curated prompt library, and a day-90 impact assessment. Pricing is £8,000 for a team of 10 to 25 users. The finding list from this briefing is the starting point for the 90-day plan; no duplication, no repeat diagnostic.

What cross-regulator governance leaders tell us after the briefing

Attributions anonymised at role and firm-type level until named clients sign a usage permission.

  • The vendor posture block was worth the fee on its own. We left with one per-vendor note that our SRA compliance and ICO compliance teams were both able to stand behind, rather than two separate assessments that said similar things.

    General Counsel, UK multi-practice professional services firm (200 to 500 staff)

  • Our firm sits under the SRA, ICAEW, and the FCA depending on which engagement you look at. The briefing was the first session we have run that addressed all three at once, instead of producing three separate governance answers we then had to reconcile ourselves.

    Head of Compliance, UK professional services group (100 to 250 staff)

  • Straight answers on the human-in-the-loop question across the regulators we touch, without the usual AI-hype layer. The cross-regulator redress walk-through was the single most useful hour of governance training the legal function has had this year.

    Data Protection Officer, UK insurance and advisory firm (100 to 250 staff)

Built for UK regulated teams

Three commitments we carry into every engagement. Professional-body alignments are pursued once we have case studies to substantiate them.

  • GDPR-compliant by design

    Assessment data is stored in the UK, minimised by default, and retained only for the term stated in our privacy notice.

  • UK-based and UK-regulated

    A trading style of The AI Consultancy (London) Ltd, registered in England and Wales. Trainers and associates are UK-based.

  • Vendor-neutral

    No reseller commissions, no platform lock-in. Training covers the tools your firm uses, not the tools we are paid to promote.