Model Office Responsible AI Governance & Assurance Policy

1. Purpose

Model Office is committed to the responsible, transparent and secure development, deployment and oversight of Artificial Intelligence (AI) technologies across our Regulatory Technology (RegTech) platform.
This policy establishes the governance, risk management, operational resilience and accountability standards applied to AI systems used within Model Office and demonstrates our alignment with UK, EU and international regulatory expectations.

Our objective is to ensure AI enhances regulatory oversight, governance, risk management and compliance outcomes while maintaining appropriate human accountability, consumer protection, operational resilience and information security.

2. Governance and Accountability

Model Office maintains clear accountability for all AI-enabled services.

Senior Management Accountability
AI systems operate under defined governance arrangements with responsibility allocated to senior management in accordance with:

• Senior Managers & Certification Regime (SMCR)
• FCA Senior Management Arrangements, Systems and Controls (SYSC)
• Consumer Duty requirements

Management oversight includes:

• AI strategy approval
• Risk appetite definition
• Model governance review
• Third-party oversight
• Incident escalation
• Consumer outcome monitoring

No AI system operates without identified business ownership and management accountability.

3. Human Oversight

Model Office adopts a Human-in-the-Loop approach for regulatory decision support.
AI outputs are designed to:

• Support compliance assessments
• Identify potential risks
• Highlight exceptions
• Assist supervisory activity

AI does not replace regulated decision-making responsibilities.
Ultimate responsibility remains with:

• Regulated firms
• Compliance officers
• Senior managers
• Approved persons

Users retain full responsibility for regulatory decisions, client outcomes and compliance obligations.

4. Consumer Duty Alignment

Model Office designs AI systems to support good customer outcomes in accordance with FCA Consumer Duty requirements.
Controls include:

• Outcome-focused monitoring
• Bias and fairness assessments
• Explainable reporting
• Audit trails
• Data quality controls
• Ongoing performance monitoring

AI-generated insights are designed to enhance:

• Consumer understanding
• Fair value assessments
• Customer support
• Vulnerable customer oversight
• Governance and oversight reporting
  
  

5. AI Risk Management Framework

Model Office operates a structured AI risk management framework aligned to:

• FCA SYSC requirements
• FCA AI governance expectations
• Bank of England and PRA guidance
• US Federal Reserve SR 11-7 Model Risk Management principles
• Industry Model Risk Management standards

Key controls include:

Model Inventory
All material AI models are identified, documented and risk classified.

Validation
Models are subject to:

• Testing
• Performance monitoring
• Accuracy assessment
• Ongoing review

Monitoring
Models are continuously monitored for:

• Drift
• Reliability
• Performance degradation
• Emerging risks

Change Control
Material changes are governed through formal review and approval processes.

6. Third-Party AI Governance

Where third-party AI technologies are utilised, Model Office applies vendor governance controls aligned to:

• FCA SYSC 8
• FCA SYSC 15
• PRA SS2/21
• EBA Outsourcing Guidelines
• DORA requirements

Assessment criteria include:

• Security controls
• Operational resilience
• Data protection
• Financial stability
• Sub-processor oversight
• Business continuity arrangements
• Regulatory compliance

Third-party providers remain subject to ongoing monitoring and review.

7. Operational Resilience

Model Office maintains operational resilience arrangements designed to support critical services.
Our approach aligns with:

• FCA Operational Resilience requirements
• PRA Operational Resilience expectations
• DORA operational resilience principles

Controls include:

• Business continuity planning
• Incident management procedures
• Service monitoring
• Disaster recovery capabilities
• Resilience testing
• Supplier resilience assessments

Material incidents are managed through documented escalation and response procedures.

8. Cyber Security and Information Assurance

Model Office applies security controls designed to protect data, systems and AI services.
Our control framework is aligned with:

• ISO 27001 principles
• SOC 2 Trust Service Criteria
• FCA cyber resilience expectations
• DORA ICT risk requirements

Controls include:

• Access management
• Multi-factor authentication
• Encryption in transit and at rest
• Vulnerability management
• Security monitoring
• Secure development practices
• Penetration testing

Security controls are reviewed regularly to address evolving threats.

9. Data Protection and Privacy

Model Office processes personal data in accordance with:

• UK GDPR
• EU GDPR
• Data Protection Act 2018

Key principles include:

• Lawfulness and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality

AI systems are designed to support privacy-by-design and security-by-design principles.

10. DORA and ICT Risk Management

Model Office maintains ICT governance arrangements consistent with Digital Operational Resilience Act (DORA) principles.
This includes:

• ICT risk management
• Third-party oversight
• Incident response processes
• Operational resilience testing
• Supplier risk assessments
• Business continuity arrangements

Material technology risks are reviewed through established governance processes.

11. Model Transparency and Explainability

Where AI-generated outputs are provided, Model Office seeks to ensure:

• Transparency of purpose
• Appropriate explainability
• Traceability of outputs
• Auditability of decisions

Users are informed when AI-generated insights contribute to regulatory assessments or supervisory reporting.

12. Testing and Assurance

Model Office operates a programme of ongoing assurance activities including:

• Model testing
• Security testing
• Penetration testing
• Control reviews
• Supplier assessments
• Performance monitoring

Independent assurance may be obtained where appropriate to support customer and regulatory expectations.

13. Training and Competence

Personnel involved in AI development, deployment and oversight receive appropriate training covering:

• AI governance
• Data protection
• Information security
• Regulatory obligations
• Operational resilience
• Consumer Duty considerations

Training is reviewed periodically to reflect evolving regulatory expectations.

14. Continuous Improvement

AI governance is reviewed regularly to reflect:

• Regulatory developments
• FCA guidance
• PRA expectations
• DORA implementation requirements
• Emerging technology risks
• Industry best practice

Model Office remains committed to the responsible deployment of AI technologies that enhance governance, risk management, regulatory oversight and consumer outcomes.

Regulatory Alignment

This policy is designed to support alignment with the principles and expectations contained within:

UK Regulatory Framework

• SMCR
• FCA SYSC 8
• FCA SYSC 15
• FCA Consumer Duty
• UK GDPR

EU Regulatory Framework

• DORA
• EBA Outsourcing Guidelines
• EU GDPR

Prudential & Outsourcing

• PRA SS2/21
• Material Outsourcing Guidance
• ICT Third-Party Risk Management

AI & Model Governance

• SR 11-7 Model Risk Management
• Model Risk Management Principles
• UK AI governance expectations and emerging supervisory guidance

Operational & Cyber

• Operational Resilience Frameworks
• Penetration Testing Standards

Vendor Assurance

• ISO 27001 Principles
• ISO 42001 managing and implementing Artificial Intelligence systems responsibly (in progress)
• SOC 2 Trust Service Criteria (in progress)
• Cyber Essentials