management
Last updated •
AI Meeting Notes & Client Consent: Privacy, GDPR, and Transparent Disclosure
Written by
Ben Glass
Product Marketing Manager
TL;DR: Using AI to transcribe client meetings requires a clear lawful basis under UK GDPR, transparent disclosure of how audio is processed and stored, and a written Data Processing Agreement with your vendor. Explicit consent is the clearest and most defensible basis for this type of processing. The FCA's Consumer Duty reinforces transparency through its consumer understanding outcome. Generic AI tools hosted outside the UK create cross-border transfer obligations that add material compliance friction. Firms must document consent in their back office, apply a dual retention framework, and have a clear process when clients refuse recording.
AI note-takers introduce several material risks, including data storage location, hallucination, and e-discovery exposure. Routing a client's financial life through an unvetted third-party processor raises direct obligations under UK GDPR and FCA Consumer Duty that cannot be ignored. This guide covers the exact legal frameworks, consent scripts, and data retention policies UK advice firms need to use AI meeting note-takers compliantly.
FCA Compliance: AI Recording Consent
FCA Rules for AI Client Disclosure
The FCA's Conduct of Business Sourcebook requires firms to record relevant client conversations and retain them in a durable, retrievable, tamper-evident format. Introducing a third-party AI processor does not reduce this obligation. It adds one: you must demonstrate that the processor handles data consistent with your FCA requirements. If a meeting generates a suitability recommendation, the transcript becomes part of your advice file and must meet COBS record-keeping standards for the duration of the client relationship.
SYSC 10A centralises the communication recording rules. The AI tool that produced the transcript is not a productivity add-on sitting outside your regulatory framework. It is a data processor operating within your regulated record-keeping chain.
Evie captures not just what clients say, but how they say it: tone, reactions, and soft facts like client anxieties, family dynamics, and health concerns mentioned in passing. These are details that even seasoned advisers might otherwise miss. This is the primary reason firms choose AdvisoryAI's meeting note tool over generic transcription alternatives. Evie also understands UK dialects and financial services terminology, which matters when advisers discuss ATR, cashflow modelling, or CIP without translation.
Choosing Your GDPR Lawful Basis
UK GDPR requires every processing activity to rest on a valid lawful basis. For AI transcription of client meetings, explicit consent is the clearest and most defensible option. The ICO's guidance is clear: explicit consent must be affirmed in a statement, oral or written. It must be specific, informed, and unambiguous.
Legitimate interests can be a valid basis for some internal processing activities, but it requires you to complete and document a balancing test showing your interests genuinely outweigh the individual's rights. When audio recordings capture sensitive financial circumstances and personal disclosures, that balance is difficult to demonstrate. Explicit consent also produces a stronger audit trail: if your compliance team or the FCA asks you to evidence that clients understood how their data was processed, a recorded verbal confirmation at the meeting is significantly more defensible than a reliance on legitimate interests documentation.
Consumer Duty: AI Consent Rules
The FCA's Consumer Duty, set out in PS22/9 and in force from July 2023, requires firms to support good outcomes across four areas, one of which is consumer understanding. Introducing AI recording into a client meeting without clear, proactive disclosure fails this outcome directly. Clients cannot make informed decisions about their financial planning relationship if they do not know that a third-party processor is transcribing the conversation.
Consumer Duty also requires firms to document how customer outcomes were considered when deploying third-party technology. Your AI vendor due diligence, your DPA, and your consent process are Consumer Duty compliance artefacts that sit in your governance framework alongside your product and service reviews.
Mandatory Explicit Consent Situations
Consent for AI Meeting Capture
Explicit consent is required before any AI tool records or transcribes a client meeting. The ICO confirms that verbal consent is valid provided you record the script used and document the moment consent was given. A verbal confirmation at the start of a meeting is sufficient, provided it is logged in the client file with a timestamp.
When more than one client is present, such as a couple or a family trust meeting, all parties should be clearly informed that the meeting will be recorded and that AI transcription is in use. Document in your back-office record that all attendees were notified and that no objection was raised, noting the name of each person present.
AI Note-Taking: What to Disclose
UK GDPR Articles 13 and 14 specify the minimum information you must provide when collecting personal data. For AI meeting notes, that means disclosing:
The identity of your firm as the data controller and the AI vendor as the data processor
The purpose of the recording: producing accurate meeting notes and a compliant advice file
Who has access to the transcript: lead adviser, paraplanner, compliance team, and the AI vendor under its DPA
Where the data is stored and whether it leaves the UK
How long is the audio retained before deletion
The client's right to withdraw consent and how to exercise it
Providing this at the consent point, rather than burying it in an annual privacy notice update, satisfies both the GDPR transparency requirement and the Consumer Duty's consumer understanding outcome.
What to Tell Clients About AI Notes
Treat AI disclosure as an extension of your ongoing service proposition, not a compliance formality. When clients understand that you use AI to produce accurate notes and delete the raw audio promptly, they typically view it as a professional upgrade, not a privacy risk.
How the AI Processes Meeting Data
The data journey follows this sequence:
Evie captures the audio during the meeting.
Post-meeting, Evie produces a structured transcript covering objectives, circumstances, recommendations, and action items.
Evie pushes the structured notes into the fact-find fields in your back-office system (Intelliflo, Plannr, Curo, or Xplan).
The adviser or paraplanner approves the file note. Raw audio can be deleted once the file note is finalised.
Every step involves a data processor, which means your vendor contract must satisfy Article 28 of UK GDPR, covering processing scope, confidentiality, security measures, and sub-processor controls. If your current AI vendor cannot produce a compliant DPA on request, that is a material compliance gap to resolve before the next client meeting.
GDPR-Compliant Data Hosting
Processing audio outside the UK creates an international transfer obligation under UK GDPR Chapter V. The ICO confirms that information can flow freely from the UK only to countries covered by adequacy regulations.
For UK-to-US transfers, you require a valid transfer mechanism such as the UK Extension to the EU-US Data Privacy Framework (the UK-US Data Bridge), Standard Contractual Clauses, or a UK International Data Transfer Agreement (IDTA). US vendor certification under the EU-US Data Privacy Framework alone does not cover UK-to-US transfers: the vendor must also have opted into the UK Extension, and the transfer must be of personal data types the vendor is registered to receive. Tools such as Otter.ai process data on US-hosted servers, which means you need to conduct transfer mechanism due diligence. That compliance burden does not exist for UK-hosted tools.
The table below shows how data residency compares across the main note-taking approaches available to UK advice firms:
Criteria | Generic AI (e.g., Otter.ai) | AdvisoryAI (Evie) | Manual Notes |
|---|---|---|---|
UK data residency | No (US-hosted) | Yes (UK-hosted) | N/A |
FCA compliance checking | No | Yes (Colin) | No |
Back-office integration | No | Yes (Intelliflo, Plannr, Curo, Xplan) | Manual re-entry |
Public pricing | Yes ($0–$30/user, USD) | Yes (£99/user/ | N/A |
Processing audio outside the UK creates a compliance exposure that most advice firms cannot justify. AdvisoryAI eliminates that risk: Evie processes and stores all meeting data within the UK. Evie is a capability within Atlas, AdvisoryAI's conversational interface across meeting data, reports, and client records. AdvisoryAI holds Cyber Essentials certification and is completing ISO 27001, which removes the need to run Standard Contractual Clauses or IDTA paperwork for every processing activity. AdvisoryAI is the #1 most-viewed AI tool on AdviserSoftware.com (H1 2025). See how Evie works in a real advice context in this FCA-compliant meeting notes demo.
Authorised Parties for Transcript Access
Define in your consent disclosure exactly who can access the raw transcript. In most advice firms, this covers: the lead adviser, the assigned paraplanner, the compliance officer, and the AI vendor restricted to processing only under your DPA. Clients should understand that their paraplanner will use the structured notes to prepare suitability documentation, because that is a direct benefit of the recording and part of your service proposition. Ask your vendor for a current sub-processor list and update it in your vendor due diligence log at least annually.
Client AI Data Retention & Deletion
Data minimisation under UK GDPR means retaining personal data only for as long as it is needed for its stated purpose. For AI meeting audio, that purpose is producing the structured file note. Once the file note is approved, the audio has served its purpose and your firm should delete it promptly. The ICO's storage limitation guidance confirms that organisations should only keep recordings for as long as needed, and that clients retain the right to request deletion.
Applying GDPR Rules for AI Note Capture
Securing Consent: New vs. Returning Clients
New clients should receive an AI recording consent section within their onboarding documentation, framed as part of your service description rather than a separate legal form. A brief paragraph explaining the recording purpose, the UK hosting arrangement, and the right to refuse is sufficient.
Returning clients require proactive notification, not a buried clause in an updated terms letter. The most effective approach is a brief verbal introduction at the first AI-recorded meeting, confirmed by a follow-up email that records their agreement.
One Chartered Financial Planner at Brooks Macdonald reports that post-meeting note time dropped from 1.5 hours to 15 minutes when they introduced Evie for annual review meetings.
Scripting Verbal Consent for AI Notes
The ICO confirms that verbal consent is valid provided you record the script and log the consent moment. The following scripts can be adapted to your firm's style.
For virtual meetings (Teams, Zoom, or Google Meet):
Before we dive in, I use an AI tool to take notes for me so I can give you my full attention today. Are you happy for me to record today? The recording is processed securely in the UK and deleted once the notes are finalised, and you can decline or ask me to delete it at any time.
Atlas is AdvisoryAI's conversational interface where advisers query meeting transcripts, suitability reports, uploaded documents, and client data from one place. It enables pre-meeting preparation by pulling vulnerability history and client context, and supports querying the entire client database for investment opportunities and patterns. Evie, Emma, and Colin are capabilities within Atlas. Evie records via Microsoft Teams, Zoom, and Google Meet, so your verbal script works consistently across all platforms without separate processes per format.
FCA-Compliant Written Consent Templates
Include the following language in your client agreement or pre-meeting email confirmation:
Purpose: Your firm uses AI transcription to produce structured meeting notes and file records in compliance with FCA COBS record-keeping requirements
Processor identity: Meeting audio is processed by AdvisoryAI, a UK-based data processor operating under a written Data Processing Agreement
Data location: All audio and transcript data is stored within the UK
Retention: Your firm deletes raw audio files once the file note is finalised and approved. Structured meeting notes are retained in accordance with FCA guidance
Your rights: You may withdraw consent at any time. Withdrawal does not affect the lawfulness of prior processing
Alternatives: If you prefer, your adviser will take manual notes. The quality of advice delivered will not be affected. Some firms using AdvisoryAI have begun reflecting the efficiency value of AI recording in their fee structures, charging less for recorded meetings or applying a premium to unrecorded ones, which is an interesting market signal about how the profession is beginning to price documentation capability
Recording Consent in Intelliflo & Back-Office Systems
The ICO is clear that consent records must include who consented, when, what they were told, and how they gave consent. Your back office is the correct place to store this audit trail. In Intelliflo, one approach is to create a custom field to record consent status, capturing whether consent was given, refused, or subsequently withdrawn, along with the relevant date in each case. Add a note linking to the specific meeting record where verbal consent was obtained.
The Evie and Intelliflo integration pushes structured meeting outputs directly into the client file, so the consent record and the resulting notes sit together in one retrievable location. Watch the Intelliflo integration demo to see this working in practice.
Handling Client Objections to Recording
Evie does not join meetings automatically. Advisers control when Evie joins each meeting, and can delete any meeting recording and associated data from the system at any time. This gives advisers complete control over their client data throughout the recording and retention process.
Some clients will decline AI recording. This is their right, and handling it well is part of your Consumer Duty obligations.
Secure Manual Client File Notes
When a client refuses, revert to manual notes immediately. Confirm verbally at the start of the meeting that you are not recording and will take written notes instead, then follow up with a brief email confirming this arrangement. Some firms using AdvisoryAI have suggested charging clients more for meetings that are not recorded (or less for those that are) due to the efficiency gain, which is an interesting market signal about how firms value the documentation capability.
AdvisoryAI provides structured guidance for managing recording opt-outs without losing documentation quality, including templates advisers can complete manually post-meeting.
Managing Partial Client Consent
Some clients may agree to transcription but decline audio retention, or allow recording for one specific meeting only. Both are valid arrangements. Document the exact scope of the client's consent in their back-office record. If a client agrees to transcription but not audio retention, configure your process so the audio is deleted immediately upon transcript completion, ahead of any standard deletion window.
Recording Objections in the Client File
Documenting a refusal is as important as documenting consent. An FCA supervision visit or complaint investigation may require you to demonstrate that a client who was not AI-recorded made that choice actively. Log the refusal with date, method, and the client's stated reason if they provide one. This protects the adviser and demonstrates a compliant consent process.
FCA-Compliant AI Data Retention & Deletion
UK FCA Data Storage Mandates
FCA record-keeping requirements under COBS mandate that firms retain suitability records for the duration of the client relationship.
The FCA Handbook's COBS record-keeping provisions specify that records must be retained for at least the duration of the relationship between the firm and the client, and pension transfer advice requires longer retention given the long-term nature of the advice. FCA COBS record-keeping obligations apply to the suitability record and final file note.
The treatment of raw audio is a separate question governed by GDPR's data minimisation principle, addressed in the section below.
GDPR Retention for Client Files
UK GDPR's storage limitation principle requires personal data to be kept no longer than necessary for its stated purpose. The result is a dual retention framework that advice firms must apply:
Raw audio: Delete promptly once the adviser or paraplanner approves the final file note
Transcript (if stored separately): Merge into the file note and delete the standalone version
Final meeting note: Retain per FCA guidance, relationship duration minimum, longer for specific advice types
Communicate this framework explicitly in your client consent disclosure so clients understand the distinction between the audio and the lasting record.
Managing AI Audio and Transcript Deletion
Establish a clear internal policy that names the deletion timeline, assigns responsibility for triggering deletion (typically the adviser or paraplanner), and creates a log of deletion actions.
If your AI vendor's platform does not support automated deletion, establish a documented manual review process to clear audio files that have passed their retention window, with a named responsible party and a defined review frequency set by your firm's compliance policy. This creates the audit evidence that regulators and compliance reviewers expect to see.
Managing Client Data Erasure Requests
A client exercising their right to erasure requires you to delete raw audio and any standalone transcript. You are not required to delete the final meeting note if your FCA record-keeping obligation provides a lawful basis to retain it, though note that erasure rights are not absolute and exemptions must be applied case by case.
Explain this clearly in your response to the request, referencing the competing legal obligation, and delete all other data associated with the AI processing.
FCA-Compliant Consent Wording Examples
Client Consent Script for AI Recording
Use this shorter version for review meetings with established clients who have already given written consent in their onboarding documentation: "As always, I'll be using my AI transcription tool today to keep accurate notes for your file. Are you still happy with that?"
This brief check-in refreshes consent, generates a documented confirmation, and takes seconds of meeting time. The ICO's guidance on consent indicates you should consider refreshing consent at appropriate intervals, particularly when the processing relationship or purpose changes.
FCA-Compliant AI Consent Template
Use the structured consent form below for new-client onboarding packs or for existing-client communications introducing AI recording for the first time.
AI Meeting Recording Consent
I confirm that I have been informed that [Firm Name] uses AI transcription software to record and produce structured notes from client meetings. I understand that:
Processing location: Audio is processed and stored within the United Kingdom.
Processor identity: The AI tool is provided by [AdvisoryAI], operating under a written DPA.
Access: My transcript may be accessed by my adviser, assigned paraplanner, and compliance team.
Retention: Your firm deletes raw audio once the file note is finalised and approved. The final meeting note is retained per FCA rules.
Withdrawal: I may withdraw this consent at any time without affecting prior processing or the quality of advice I receive.
Client signature: _______________________
Date: _______________________
Colin reviews file notes against Consumer Duty requirements and COBS standards before files leave your desk. Colin works on any suitability report, regardless of whether it was created using AdvisoryAI. The model is trained on thousands of sample reports and built by ex-financial advisers and paraplanners, with technical leadership from AdvisoryAI's CTO Roshan Tamil Selvan, who holds a Master's in AI/ML from MIT.
In a rapidly moving regulatory and technology environment, AdvisoryAI does not require a 12-month commitment, unlike many enterprise AI tools: Evie at £99 per user per month, Colin at £99 per user per month, both on a monthly rolling agreement with a 30-day money-back guarantee, or save 10% on an annual plan. Emma is available at £299 per user per month. All tools work from your firm's own templates with full customisation of advice style, tonality, and formatting.
Request a demo to see how Colin checks documentation against FCA Consumer Duty requirements in practice.
FAQs
Is Client Disclosure Required for AI Notes?
Yes. UK GDPR Articles 13 and 14 require you to inform clients about the purpose of processing, the identity of any data processor, and their data subject rights before processing begins. FCA Consumer Duty's consumer understanding outcome reinforces this obligation specifically for third-party technology.
How Do I Manage Revoked Client Consent?
Stop recording immediately, revert to manual notes, and update the AI Recording Consent field in your back office to "Consent Withdrawn" with the date and time. The ICO's guidance on consent withdrawal is clear that it must be as easy to withdraw as it was to give, so a single verbal instruction from the client is sufficient.
Do I Need Separate Consent for Each Meeting?
Written consent in your onboarding documentation can cover ongoing AI recording. The ICO's guidance indicates you should consider refreshing consent at appropriate intervals, and a brief verbal check-in at each meeting supports your documented consent record. For new clients, document written consent in the onboarding pack and confirm verbally at the first AI-recorded meeting.
What Are the FCA Rules for AI Note Retention?
The final structured meeting note must be retained for the duration of the client relationship under COBS, which may extend beyond five years depending on relationship length, with pension transfer advice requiring longer retention still. Your firm should delete raw audio promptly once the file note is finalised, in line with GDPR's storage limitation principle.
Can Evie Detect Vulnerable Customer Signals?
Yes. Evie captured a case at One FS where a client asked the adviser to repeat information multiple times due to WiFi issues, and Evie flagged hard of hearing as a potential vulnerability, which the adviser had not initially identified. This demonstrates Evie's ability to capture compliance-critical soft facts.
How Does Evie Fit Into an Existing Advice Workflow?
The end-to-end workflow follows this sequence: adviser uses Atlas for pre-meeting preparation, pulling vulnerability history and client context → adviser joins the meeting via Microsoft Teams, Zoom, or Google Meet → Evie records and transcribes → Evie pushes structured notes to the back office (Intelliflo, Plannr, Curo, Xplan) → paraplanner uses the output to prepare suitability documentation → the firm deletes raw audio post-approval. One Chartered Financial Planner at Brooks Macdonald reports that post-meeting note time dropped from 1.5 hours to 15 minutes when they introduced Evie for annual review meetings.
Can Evie Be Customised to Our Firm's Templates and Advice Style?
Yes. All AdvisoryAI tools work from the firm's own templates with full customisation of advice style, tonality, and formatting. Colin reviews file notes against Consumer Duty and COBS standards regardless of whether the suitability report was created using AdvisoryAI.
How Accurate Is the Underlying AI Model?
The model achieves 95% accuracy. It is trained on thousands of sample reports and built by ex-financial advisers and paraplanners, with technical leadership from AdvisoryAI's CTO Roshan Tamil Selvan, who holds a Masters in AI/ML from MIT. Hallucination risk is mitigated by the structured output format and Colin's post-meeting compliance review layer. Evie captures tone, reactions, and soft facts such as client anxieties, family dynamics, and health concerns mentioned in passing: details that even seasoned advisers might otherwise miss.
How Does AdvisoryAI Scale Across a Whole Firm?
AdvisoryAI offers multi-user pricing with Evie at £99 per user per month and Colin at £99 per user per month, both on monthly rolling agreements with a 30-day money-back guarantee, or save 10% on an annual plan. Emma is available at £299 per user per month. Atlas is AdvisoryAI's conversational interface where advisers query meeting transcripts, suitability reports, uploaded documents, and client data from one place, and supports querying the entire client database for investment opportunities and patterns. Evie, Emma, and Colin are capabilities within Atlas. For larger IFAs and network firms, AdvisoryAI works in a co-creation model rather than a standard vendor relationship, drawing on direct experience with enterprise advice businesses to configure workflows, consent frameworks, and back-office integrations around the firm's existing compliance infrastructure, rather than asking the firm to adapt to the tool.
Key Terms Glossary
GDPR (UK General Data Protection Regulation): The retained version of EU GDPR that applies in the UK following Brexit, governed by the Data Protection Act 2018. It sets the lawful basis requirements, data subject rights, and processor obligations that apply to AI meeting note tools.
ICO (Information Commissioner's Office): The UK's independent regulator for data protection, responsible for enforcing UK GDPR and providing guidance on lawful processing. The ICO publishes detailed guidance on consent, lawful basis, and international transfers.
FCA Consumer Duty: The FCA's regulatory standard, set out in PS22/9 published July 2022 and in force from July 2023, requiring firms to deliver good outcomes across four areas including consumer understanding. It applies to decisions about third-party technology vendors used in client-facing processes.
Data Processing Agreement (DPA): A written contract required by Article 28 of UK GDPR whenever a data controller uses a data processor. It must specify the scope, purpose, security measures, and end-of-contract deletion obligations for the processing activity.
Controller: The firm (your advice business) that determines the purpose and means of processing personal data. As controller, you are responsible for obtaining consent, maintaining the audit trail, and ensuring your processors comply with UK GDPR.
Processor: A third party that processes personal data on behalf of the controller, such as an AI transcription vendor. The processor must operate only on the controller's documented instructions and cannot use the data for its own purposes.
