Britain's top banking regulator has issued its starkest warning yet about artificial intelligence, saying it is now reasonable to expect it to cause serious disruption across the UK's financial system. Sam Woods, chief executive of the Bank of England's Prudential Regulation Authority, told an industry summit this week that the latest generation of AI models — among them Anthropic's Mythos and ChatGPT 5.5 Instant — posed a challenge that banks could no longer treat as a distant concern.
Speaking at UK Finance's Growth Delivery Summit on 11 May, Woods said the problem is specific and immediate. These newer models are becoming far better at detecting weaknesses in software systems — and the moment a vulnerability is found, the clock starts ticking. For the UK's banks, many of which still run on ageing technology infrastructure, that is a genuinely uncomfortable development.
"The main driver of outages" across financial services, Woods explained, is the lag between a vulnerability being identified and a firm patching it. AI is now compressing that window dramatically. Institutions that once had days or weeks to respond may soon have hours.
A new kind of threat on the high street
What makes the warning land differently from the usual regulatory boilerplate is its directness. For the first time, the UK's bank regulator has named a specific generation of models and used the word disruption plainly — not as a caveat buried in a footnote, but as the main message. Firms, Woods said, will need to sharpen their basic cyber hygiene and respond faster, with AI-powered defences becoming an increasingly essential part of their toolkit rather than an optional extra.
Anthropic launched Mythos to a select group of business clients in April. Cybersecurity specialists have since raised flags about its ability to probe the kind of legacy systems that sit at the heart of British banking. A BoE-led resilience exercise concluded last month that the sector was currently prepared for that pressure — but Woods's remarks suggest the regulator is not banking on that judgement holding indefinitely.
The timing matters. Three-quarters of UK financial firms are already using AI in some form, according to a joint Bank of England and FCA survey published late last year. A further 10 per cent plan to adopt it within the next three years. The tools that once seemed futuristic are now operational realities — and the risks that come with them are moving from theoretical to live.
Regulators under pressure to keep pace
Woods's warning arrives at a delicate moment for UK financial regulators more broadly. The Treasury Select Committee published a report in January that accused the FCA, PRA and Bank of England of taking a "wait-and-see" approach to AI — one it warned risked serious harm to consumers and to the stability of the wider financial system. The Committee called for AI-specific stress testing, clearer guidance on existing consumer protection rules, and for HM Treasury to designate major AI and cloud providers as Critical Third Parties by the end of this year.
The regulators pushed back on the characterisation, insisting they were anything but passive. In April, the Bank of England and the PRA published a joint response confirming they were maintaining what they described as a technology-agnostic approach — relying on existing frameworks rather than writing new AI-specific rules. On 1 April, they confirmed that monitoring would continue through a new round of their biennial industry survey on AI adoption, and through the AI Consortium, a public-private body set up last year to gather expert input on how AI is being developed and deployed across the sector.
Meanwhile, the FCA launched its Mills Review in January — a long-term study into how AI will reshape retail financial services heading into the 2030s. The regulator has repeatedly stated it will not introduce AI-specific rules, preferring to keep frameworks flexible given how quickly the technology is evolving. Chief executive Nikhil Rathi has said the FCA will intervene only in cases of clear and serious failure.
The infrastructure question
Behind all of this sits a concern that goes beyond any single model or event. Britain's banks are not uniquely exposed, but they are not uniquely prepared either. Legacy systems, built over decades and often stitched together through mergers and acquisitions, are a known vulnerability — one that AI is now better equipped to exploit than any previous generation of tools.
The IMF has separately warned that AI-powered cyberattacks could, in extreme scenarios, trigger instability across the global financial system. That is a tail risk rather than a near-term forecast. But for regulators like Woods, the direction of travel is clear enough to warrant plain speaking now, before the pressure builds further.
For the UK's banks and insurers, the message from Threadneedle Street this week is simple enough: the window for leisurely preparation is closing. The question is no longer whether AI will test the system's defences. It is how quickly firms can be ready when it does.
