The FCA’s AI review and payments: friction is a foundation

The FCA has launched an AI review in retail finance. For payments, the issue is not autonomy but control. Open banking, with native consent and strong customer authentication (SCA), offers a foundation that aligns with emerging regulatory expectations.

Why the FCA is reviewing AI in retail finance

In January 2026 the Financial Conduct Authority announced a formal review of the impact of advanced AI on retail financial services, with findings expected to go to the FCA board by mid-2026.¹

Rather than focus on high-level AI questions, the FCA has clarified that its interest is risk, consumer outcomes and accountability where AI starts to influence financial decisions or take action on behalf of consumers.¹

This is a forward-looking safety and governance exercise.

Shopper wariness and the limits of “frictionless”

Recent surveys - including those referenced on LinkedIn by Asima’s CEO — show a persistent gap between comfort with AI assistance and discomfort with full autonomy.²
Consumers are generally comfortable with suggestions or co-pilot behaviour, but not ready to cede control over sensitive financial actions.

That’s important because it highlights a deeper issue:

People do not fear automation per se. What they do fear is loss of agency.

The FCA’s review is, at its core, about ensuring agency and accountability when autonomy increases.

Where friction fits into trustworthy automation

One of the unexpected insights from early agentic commerce discussions is that friction isn’t always a UX problem - sometimes it’s the mechanism of trust.

For payments and commerce, friction often manifests as:

verification steps,
authorisation prompts,
explainable consent decisions.

These are guardrails that ensure consumers remain in control of material outcomes.

The FCA’s AI review reinforces this. It emphasises that:

financial decisions have real consequences,
models must be explainable and auditable,
firms must demonstrate how consent and control are preserved.¹

In payments, this directly implicates authentication and consent architecture.

Cards vs account authentication: a structural distinction

Traditional card payments were created in a world where:

the credential (card number) was the authority,
authentication could be retrofitted around the rail,
fraud controls were add-ons, not foundations.

This design has required many compensating controls over time - CVVs, PINs, OTPs, 3D Secure, behavioural analytics - precisely because authentication is not inherent to the rail.

In contrast, open banking’s foundation is consent and secure bank authentication.
Every action that touches value initiates from an explicit, authenticated consent event.

This architecture maps directly to the FCA’s broader concerns about autonomous systems: it gives firms, consumers and regulators a single, inspectable record of intent validated by the bank.

Strong customer authentication (SCA) was introduced under PSD2 to reduce fraud through two-factor checks.³ But it also serves a second, deeper purpose: a public, bank-controlled confirmation checkpoint for value movement.

In an AI-assisted or agentic commerce world, this is vital because:

it provides a verifiable evidence trail,
it prevents agents from operating without human confirmation,
and it structures decisions in a way that is both auditable and contestable.

SCA becomes not just compliance, but the trust mechanism that reconciles autonomy with agency.

Open banking as a governable layer

Where legacy rails often treat authentication as a bolt-on, open banking treats it as a first-class citizen. That has three practical consequences:

Consent is explicit and revocable
Every authorised action begins with a consent object that can be versioned, revoked and evidenced.
Authentication is native to the value movement
There is no “credential store” for AI to misuse; permissions are testable in real time.
Observability and auditability are built into the infrastructure
This meets the FCA’s emerging demand that firms be able to explain why and how a decision was made.¹

What this means for payments product design

AI-assisted or agentic experiences will still need checkpoints - not to frustrate users, but to preserve their control.

That implies:

Consented decision boundaries;
Context-aware authentication;
Deterministic rails;

In practice, this suggests that A2A payments via open banking (including commercial VRP) are more naturally aligned to a future where:

AI proposes, examines and recommends,
the customer authorises with SCA when value actually moves,
and regulatory obligations are embedded, not bolted on.

A practical example

Imagine an AI assistant that:

identifies an imminent overdue energy bill,
proposes a catch-up and future plan,
pre-populates amounts and schedule,
presents a single, readable action requiring SCA - e.g.,
“Approve £54.23 today and £50 monthly for 3 months.”

Because consent and authentication occur at the bank, the agent never holds credentials, and the decision is both user-centric and auditable.

This is trust by design, rather than friction for the sake of it.

Asima’s view: friction is control

As the FCA’s AI review progresses, a few themes are clear:

Consumers want agency, not autonomy without oversight.
Regulators need evidence rather than ex post rationalisation.
Infrastructure must give both groups something they can inspect.

Open banking - with consent primitives and SCA as anchors - delivers that in ways legacy rails cannot.

That means designing friction that is meaningful.

Friction isn’t the enemy of experience. It is the foundation of trustful automation.

Footnotes

¹ Financial Conduct Authority. FCA launches review into the impact of AI in retail financial services. January 2026. Link
² Omnisend. Shopper sentiment on AI commerce. (Public survey referenced in Kieron James LinkedIn post.) (Specific URL not publicly indexed)
³ European Banking Authority. PSD2 Strong Customer Authentication requirements. Link

Kieron James
January 2026

Recent posts

January 22, 2026

Pricing clarity for open banking: FCA and PSR signal regulatory support for UKPI’s commercial model

The FCA and PSR have clarified their position on open banking pricing models for commercial VRPs. This post explains what that means for UKPI, infrastructure providers and enterprise buyers making long-term cVRP decisions.

January 15, 2026

Contactless caps are going. SCA isn’t.

As the FCA removes fixed contactless limits, card payments rely on ever more compensating controls to manage fraud. Open banking takes a different path: embedding strong customer authentication at the bank layer. This post explains why the difference matters for security, UX and recurring payments.

January 13, 2026

Fintech and open banking news: 12/25

December brought concrete delivery signals for commercial VRP in the UK, alongside a major shift on contactless limits and renewed focus on safeguarding and insolvency outcomes for payments firms. Here are the stories that matter, with an Asima infrastructure lens.

December 23, 2025

Smart Debits (cVRP): what to consider before choosing a provider

Commercial variable recurring payments promise more control than cards on file and more flexibility than Direct Debit. But cVRP is not “just another payment method”. This post explains what Smart Debits really are, why rollout has taken time, and what Asima clients should evaluate before committing.

December 16, 2025

Open banking 2025: progress, momentum and what’s next

The FCA’s latest “Open banking: a year of progress” confirms that open banking is scaling beyond early use-cases, with over 16 million active users, sharp growth in payments, and commercial VRP schemes poised to enter the market.

December 11, 2025

The open banking Christmas miracle

When the North Pole’s fulfilment system collapsed days before Christmas, an exhausted elf found salvation not in magic, but in infrastructure. This is the story of how open sleigh banking saved Christmas.