TL;DR: Most general-purpose AI tools were built to generate text. They were not built to know a firm's suitability report templates, connect to a back-office system, or check output against FCA Consumer Duty requirements. A November 2025 Which? investigation tested six AI tools (ChatGPT, Google Gemini, Gemini AI Overview, Microsoft Copilot, Meta AI and Perplexity) against forty common consumer questions across money, legal, health, and consumer rights. When asked about a £25,000 ISA allowance (which exceeds the actual £20,000 limit), both ChatGPT and Copilot failed to correct the error, an outcome that would have triggered HMRC penalties for any client who acted on it. This article covers where the regulatory and data risk sits, and how documentation tools built specifically for UK financial advice, like AdvisoryAI, handle the workflow differently.

A pattern has emerged across UK advice firms over the past eighteen months. Individual advisers are building their own documentation workflows from generic tools: transcribing meetings with third-party software, drafting suitability reports in ChatGPT, and running compliance checks separately, if they run them at all. Each adviser solves the problem differently, which means documentation quality varies across the firm and the operations function has no consistent audit trail to evidence Consumer Duty outcomes.

Some firms are attempting to stretch general-purpose AI licences into advice documentation workflows those tools were not designed for. This approach creates regulatory and data security exposure at the firm level because generic tools were not built for UK advice workflows.

What Generic AI Tools Actually Do

Generic large language models generate text based on prompts, and that is the entirety of what they do in this context. They do not:

• Know who your clients are or connect to your back-office system (Intelliflo, Iress Xplan, Plannr, or Curo).

• Generate suitability reports from your firm's own templates.

• Check anything against FCA Consumer Duty or COBS standards.

• Log what client data was used, what was queried, or what was output on consumer tiers.

That description captures what generic AI offers in an advice context accurately: a text generator, not an advice documentation platform. The AdvisoryAI platform walkthrough illustrates the structural difference between this approach and a purpose-built tool.

The Regulatory Risk of Using Generic AI in an FCA-Regulated Firm

The FCA Says Generic AI Is Not for Financial Decisions

The FCA's InvestSmart guidance states that general-purpose tools like ChatGPT and Gemini are "not set up to assist with financial decisions and are not regulated." The regulator has drawn a clear line between consumer AI tools and purpose-built platforms for regulated advice work.

The FCA Has Been Direct on This

The FCA's April 2024 AI Update made the regulator's position explicit: firms are responsible for the outputs of any AI tool they use in client-facing work, regardless of whether that tool was built for financial services or not. Manual spot-checking does not meet that standard: the FCA's May 2025 research note is explicit that validating LLM outputs requires a robust evaluation framework combining human judgement with automated tools, not periodic sampling.

The FCA's June 2024 multi-firm review of insurance firm outcomes monitoring found that monitoring approaches were "overly focused on processes being completed rather than on outcomes delivered," a finding that applies directly to any firm treating periodic sampling as adequate AI oversight.

SMCR Personal Accountability Does Not Disappear with Automation

FCA Executive Director David Geale told the House of Commons Treasury Committee that individuals in financial services firms are "on the hook" for harm caused to consumers through AI under the Senior Managers and Certification Regime. Under SMCR, delegating a task to an algorithm does not reduce the personal accountability of the named senior manager who authorised that deployment. If a ChatGPT-drafted suitability letter contains incorrect tax guidance and a client acts on it, the named senior manager cannot point to OpenAI.

Consumer Duty Evidencing as Standard

FCA Consumer Duty requires firms to evidence good client outcomes and avoid foreseeable harm, with documentation that is auditable and available for supervisory review. On consumer tiers, a ChatGPT conversation has no persistent audit trail, no record of what client data was fed into the prompt, and no log of who queried it or when. The FCA's finalised guidance FG16/5 on cloud outsourcing requires firms to document data location, exit planning, and audit rights. A consumer ChatGPT subscription satisfies none of those requirements.

The Industry Is Not Ready

The House of Commons Treasury Committee concluded in January 2026 that despite 75% of UK financial services firms using AI, the regulatory approach has "left consumers and the financial system exposed to potentially serious harm," with Chair Dame Meg Hillier stating she lacked confidence the system was prepared for a major AI incident. McKinsey's 2025 State of AI report found just 1% of C-suite leaders describe their gen AI rollouts as mature, while NVIDIA's January 2026 report found that 21% of respondents have deployed AI agents, in a survey of more than 800 financial services professionals.

The Which? November 2025 investigation tested six AI tools against forty common consumer questions across money, legal, health, and consumer rights, including financial questions where ChatGPT and Microsoft Copilot provided dangerous guidance. All six tools tested produced inaccurate or misleading guidance somewhere in the test set, with severity varying by tool. ChatGPT recommended exceeding ISA contribution limits. Neither ChatGPT nor Copilot corrected a deliberate error about ISA thresholds that would have triggered HMRC penalties. This was a controlled test of the most common tools advisers are currently experimenting with, not an edge case.

The Financial Planner Life Podcast's discussion on whether AI agents are worth it for financial planning and the specific clip covering 1,600 advisers using AI as a fuel rather than a tool are worth watching for practitioner perspectives on where the risk sits.

UK GDPR Failures of Consumer-Tier ChatGPT

Data Used for Training by Default

Consumer ChatGPT, covering Free, Go, Plus, Pro, and any Custom GPTs built on those tiers, uses conversations and uploaded content to train OpenAI's models by default. Opt-out is per-user rather than firm-wide, does not retroactively remove data already used, and consumer tiers are not covered by OpenAI's Data Processing Addendum. When a paraplanner pastes a client's LOA pack into a Plus-tier ChatGPT, that client's data is processed under terms that include no controller-processor agreement.

The ICO's AI guidance is unambiguous: UK GDPR Article 28 requires a written Data Processing Agreement whenever a controller engages a processor. No DPA on consumer tiers means the firm is operating without the foundational legal requirement for data processing. The same controller-processor and training-by-default questions apply to Claude on consumer tiers: Anthropic's consumer products do not include a Data Processing Agreement, and firms using Claude outside an enterprise contract face equivalent UK GDPR exposure.

Article-by-Article Compliance Gaps

The compliance gaps are not isolated. Using consumer ChatGPT with client data fails across multiple UK GDPR articles simultaneously:

The PRA's model risk rules (SS1/23), in effect since May 2024, apply directly to PRA-regulated banks and certain designated investment firms, requiring any AI model to be documented thoroughly enough for independent review. The principles are increasingly referenced as best practice across the wider sector, including FCA-regulated advice firms. A general-purpose model deployed without firm-specific documentation, validation records, or independent review processes does not satisfy what SS1/23 requires. The EU AI Act introduces quality-management and oversight obligations for high-risk AI from August 2026, with full compliance deadlines extended but active for UK firms with EU market exposure who cannot satisfy them using undocumented general-purpose models.

Custom GPTs built on consumer tiers inherit every one of these failures. Academic research across 200-plus public Custom GPTs found that system instructions and knowledge files could be extracted through prompt injection, with a vulnerability patched in February 2026 allowing covert file exfiltration via a single malicious prompt.

What ChatGPT Enterprise Gives You, and What It Does Not

Firms can use ChatGPT Enterprise in a way that addresses the UK GDPR gaps on consumer tiers, but the prerequisites are not trivial. OpenAI can execute a Data Processing Addendum with customers for ChatGPT Enterprise in support of GDPR compliance. A DPIA is required when ChatGPT processing is likely to result in a high risk to individuals under GDPR Article 35. FCA-regulated firms will typically need a lawful basis assessment with updated client privacy notices, a ROPA entry, a sub-processor register reconciled, an international transfer mechanism under UK IDTA, and may need to satisfy SYSC 8 outsourcing and FG16/5 cloud requirements depending on their regulatory obligations. ChatGPT Enterprise is SOC 2 compliant and includes role-based access control, with the Enterprise Compliance API providing a record of time-stamped interactions.

After completing that compliance work, the firm has a general-purpose chat interface that still requires custom development for UK advice workflows. Enterprise does support connectors to third-party systems and custom GPT configurations, but these require significant custom development by the firm's own technical team. ChatGPT Enterprise includes built-in apps such as SharePoint, GitHub, Google Drive, and Box, but does not list Intelliflo, Iress Xplan, Plannr, or Curo as native integrations. Consumer Duty compliance checking and paraplanning queue management are not included features. The paraplanner's post-ChatGPT workflow remains: copy the draft, paste it into the template, reformat to firm style, re-key fact-find data into the back-office system, upload the document manually, and trigger a compliance check separately if they run one at all.

How AdvisoryAI Is Built Differently

The structural difference is not configuration. AdvisoryAI was built for UK advice workflows at large networks, consolidators, and investment management firms, with FCA compliance checking, back-office connectivity, and firm-specific template support as core architecture rather than add-ons. AdvisoryAI ranked #1 on AdviserSoftware.com for H1 2025, up from 26th position one year prior, and won EATT Best in Show for three consecutive years.

Purpose-Built Tools for UK Advice Work

Evie records client meetings via Microsoft Teams, Zoom, or Google Meet, producing structured notes covering objectives, circumstances, recommendations, next steps, and action items, plus a draft follow-up email. Beyond transcription, Evie captures tone, reactions, and hesitations that a seasoned adviser would otherwise miss. This soft facts layer is the primary reason firms choose AdvisoryAI's meeting tool over generic transcription. The Evie demo shows this in practice for annual review workflows.

Emma generates suitability reports, annual review reports, and LOA pack summaries from meeting notes, fact-finds, ceding information, cashflow modelling outputs, and risk profile assessments, using the firm's own templates and citing every statement back to its source. Colin runs 42 automated checks against FCA Consumer Duty requirements and COBS standards, providing colour-coded pass/fail verdicts and remediation guidance before the document leaves the adviser's desk.

Template configuration across more than 250 UK advice firms is completed by a team of ex-paraplanners and advisers within two weeks, matching each firm's existing document formats. AdvisoryAI's CTO Roshan Tamil Selvan holds a Masters in AI/ML from MIT, and the model was built on thousands of anonymised sample reports by ex-financial advisers and paraplanners. AdvisoryAI holds Cyber Essentials certification, has ISO 27001 in progress, stores client data on UK-based AWS servers, and does not use client data to train models. Both own-suite and fully bespoke templates are available, with even off-the-shelf options fully customisable to the firm's tonality, formatting preferences (bullets, paragraphs, tables), and individual adviser requirements.

Back-Office Connectivity Built into the Workflow

Structured meeting outputs, fact-find data, and client records push directly into your back office without manual re-entry, with native connections to Intelliflo, Plannr, Curo, and Iress Xplan. The Intelliflo integration is detailed in full, including how Evie populates fact-find fields covering personal information, investment details, and employment data, as International Adviser confirmed at integration launch.

For firms using ChatGPT on any tier, the copy-paste-reformat-re-key cycle after every meeting is a structural feature of that workflow, not a configuration problem that can be solved without purpose-built integrations. The Plannr integration demo shows how Evie connects directly with Plannr to automate the meeting-to-back-office workflow for advisers running on that platform.

Compliance Checking at the Point of Production

Colin is system-agnostic. It checks any suitability report, fact-find, or file note against FCA Consumer Duty and COBS requirements, not just documents produced within AdvisoryAI. A firm already using a different documentation tool can add Colin as a compliance layer across existing output without switching their entire workflow. The audit trail this produces is the Consumer Duty evidencing layer that generic AI on consumer tiers structurally cannot provide. Watch Colin in action to see how this compliance checking works at the point of production.

Atlas: One Interface, All Your Client Data

Colin handles compliance checking on individual documents. Atlas connects everything across your entire client database, linking suitability reports, meeting transcripts, and client documents into a single conversational interface. Atlas provides 50+ capabilities across five firm roles: advisers, paraplanners, compliance officers, operations managers, and administrative staff.

A single query can pull cross-source intelligence, for example 'What are the drawdown options for Michael Thompson?', drawing from back-office data, cashflow modelling outputs, investment platform records, meeting transcripts, and uploaded documents simultaneously. Workflow execution happens directly from chat: meeting note to annual review to full suitability report in one conversation, rather than switching between disconnected tools.

Atlas's May 2026 Adaptive Thinking update makes every query auditable: live status updates show each processing step, and a collapsible thinking block reveals the full reasoning behind every response, persisting across sessions. For firms cautious about black-box AI, Atlas does not hide its work.

The operational efficiency gains documented across customer firms, and their impact on firm valuations, are covered in full in the AdvisoryAI whitepaper: From Paperwork to Peoplework. The Financial Planner Life Podcast's episode on Gen AI in advice provides useful practitioner context on where documentation automation sits within the profession's broader AI adoption.

Cost Comparison

The cost case does not require complex modelling. Emma is priced at £299 per user per month. Firms currently outsourcing paraplanning can compare that directly against their existing cost per report across a typical monthly volume. Evie costs £99 per user per month and Colin costs £99 per user per month, with all pricing listed publicly on the website.

Monthly rolling agreement. 30-day money-back guarantee. Annual commitment saves 10%.

A 14-day free trial with no credit card required is available, so firms can test output against their own workflows and templates before committing. All plans run on a monthly rolling agreement with a 30-day money-back guarantee, and an annual commitment saves 10% across the bundle. Request a demo to see how it works with your workflow.

FAQs

Is using ChatGPT for suitability reports a UK GDPR violation?

On consumer tiers (Free, Plus, Pro), yes: the firm is acting as a data controller using an uncontracted processor with no DPA, no DPIA, no ROPA entry, and client data used by default for model training. ChatGPT Enterprise can be used more compliantly with the correct legal framework in place (OpenAI can execute a DPA, and provides SOC 2 compliance, role-based access control, and audit logs), but it still lacks pre-configured FCA Consumer Duty compliance checking and requires custom development work by the firm's own technical team to integrate with UK advice workflows.

Does SMCR apply to AI tools used in client documentation?

Yes. FCA Executive Director David Geale told the Treasury Committee that individuals are "on the hook" for harm caused to consumers through AI under SMCR. Delegating a task to an algorithm does not reduce the personal accountability of the named senior manager who authorised that AI deployment.

Can Colin check suitability reports produced in other tools, not just AdvisoryAI?

Yes. Colin is system-agnostic and checks any suitability report, fact-find, or file note against FCA Consumer Duty and COBS standards, regardless of where the document was produced. A firm using a different documentation platform can add Colin as a compliance layer across existing output without switching their entire workflow.

What does AdvisoryAI's free trial include?

The 14-day free trial covers the platform with no credit card required, allowing firms to test Evie, Emma, and Colin against their own client workflows and document formats before committing. Monthly rolling agreements mean there is no lock-in beyond the initial evaluation period, and a 30-day money-back guarantee applies.

How does Evie handle face-to-face meetings where recording is not possible?

Evie records via Microsoft Teams, Zoom, and Google Meet for virtual meetings. For face-to-face meetings, Evie's recording-based functionality does not apply.

What is the setup time for firm-specific templates?

Template configuration for Emma and Evie is completed by AdvisoryAI's team of ex-paraplanners and advisers within two weeks of onboarding. The firm's existing document structure and formatting is replicated rather than replaced, so compliance-checked document formats already in use stay intact.

Key Terms

Data Processing Agreement (DPA): A legally binding contract between a data controller (the advice firm) and a data processor (the AI tool provider) required under UK GDPR Article 28. It specifies what data is processed, for what purpose, and what safeguards apply. Consumer-tier ChatGPT and Claude do not include one.

DPIA (Data Protection Impact Assessment): A structured assessment required under UK GDPR Article 35 when processing is likely to result in a high risk to individuals. Using AI tools to process client financial data typically triggers the requirement. Most consumer-tier AI deployments in advice firms have not completed one.

ROPA (Record of Processing Activities): A documented register of all data processing activities a firm carries out, required under UK GDPR Article 30. Using a consumer AI tool with client data creates a processing activity that must be recorded, including the categories of data, the processor's identity, and the legal basis for processing.

SMCR (Senior Managers and Certification Regime): The FCA framework that assigns personal accountability to named individuals within regulated firms for the activities and risks within their area of responsibility. SMCR accountability does not transfer to a third-party AI tool: the named senior manager who authorised an AI deployment remains personally accountable for harm caused by its outputs.

SS1/23 (PRA Supervisory Statement on Model Risk Management): PRA guidance in effect since May 2024 requiring PRA-regulated banks and certain designated investment firms to document, validate, and independently review any model used in their operations. AI tools are explicitly in scope. The principles are increasingly referenced as best practice across the wider FCA-regulated sector.