Most suitability reports and reasons why letters take between 45 minutes and two hours to draft, per case. Across a ten-adviser firm, that is a material chunk of each week spent on a document that follows pretty much the same structure every time. The question I get asked most often by advice firm owners is whether AI can take some of that back, and whether doing so will land them in trouble with the regulator.

The honest answer is: yes, and not if you build it carefully. But the way most firms are thinking about this gets the priority order wrong. They start with the technology and work backwards to compliance. You need to do it the other way around.

What Consumer Duty actually requires of a suitability report

Consumer Duty requires that firms evidence, in a way a regulator could review, that the advice given was suitable for that specific client at that specific moment in time. The suitability report is the primary vehicle for that evidence. [1]

What Consumer Duty does not do is prohibit automation. What it does require is that the output of any process, automated or not, meets the standard of being genuinely personalised, clearly reasoned, and demonstrably in the client’s interest. A report produced by an AI system that contains templated language which does not reflect this client’s actual circumstances would fail that standard as readily as a copy-and-paste job from a word processor.

The compliance question is never “did a human type this?” It is “does this document accurately represent the advice given, and can the firm prove it?”

The compliance question is never “did a human type this?” It is “does this document accurately represent the advice given, and can the firm prove it?”

Why data quality is the foundation, not the technology

Before you choose a tool or build a workflow, the most important question is whether your client data is clean, structured, and complete enough to use as input.

A suitability report automation workflow is only as accurate as what you feed it. If your fact-find data lives in a CRM where fields are inconsistently completed, where risk profile scores are stored without the date they were recorded, or where attitude-to-risk and capacity-for-loss are conflated, the AI will work from a distorted picture of the client. The output will be plausible-sounding and wrong.

This matters more under Consumer Duty than it did before, because the duty focuses on outcomes, not just process. A report that looks professional but misrepresents the client’s circumstances is a Consumer Duty problem, regardless of whether a human or a system produced it.

So the first practical step is not to pick a tool. It is to audit the inputs. What data does a well-drafted suitability report actually rely on? Where does each piece come from in your current process? Is it consistently recorded, and in a format a system could read reliably?

This is often where firms discover that the limiting factor in their current process is not the drafting itself. It is the inconsistency upstream.

What an appropriate automation architecture looks like

Once your data is clean, there are two viable approaches for most advice firms, and they sit at different levels of complexity.

Level 1: A structured prompt fed into an AI writing tool, combined with a populated fact-find template. The adviser copies structured client data into a prompt, the tool drafts the report, and the adviser reviews, edits, and signs off before sending. This is available today using tools your firm likely already pays for, costs nothing extra to implement, and requires no integration work. The limitation is that it involves manual copy-paste and is only as consistent as the adviser’s discipline in using it.

Level 2: An automated workflow that pulls completed fact-find data from your back-office system or CRM, passes it to an AI drafting tool, and returns a draft into the adviser’s case management system for review. This uses platforms such as Power Automate, Make, or n8n to connect your existing systems. It requires configuration work rather than engineering, typically takes a few days to set up for a firm with stable back-office infrastructure, and removes the manual copy-paste step entirely. This is the architecture that makes economic sense for a firm doing more than a handful of cases a week.

For automating your suitability reports, Level 2 is the appropriate starting point. A custom-build approach, with bespoke pipelines and complex orchestration, is not really needed for this, unless a firm has highly unusual case types or a very large scale.

What makes AI suitability drafting compliant in practice

The architecture matters less than these four things.

First, constrain the AI to your own documents. The most practically relevant development in this space is the emergence of “grounded” AI tools, where the model is restricted to producing outputs based on uploaded documents rather than generating content from general training. Google’s NotebookLM, for example, reports a sub-1% hallucination rate when constrained to uploaded documents [2]. When your AI is working from your own product literature, your own risk profiles, and your own client data, it is far less likely to introduce information that was never part of the advice process. This matters enormously for suitability, where a stray sentence about a product feature that was not discussed creates a material compliance problem.

Second, the human review step is not optional. Every suitability report produced by an AI-assisted workflow must be reviewed, checked for accuracy against the client record, and formally approved by the responsible adviser before it is sent. This is not a nice-to-have. It is the point at which the firm takes ownership of the output. Any workflow that positions AI as the end point rather than a drafting stage is misunderstood. Under Consumer Duty, the firm is accountable for the advice and the document that records it.

Third, your audit trail needs to capture what the AI produced and what was changed. If the FCA were to review a file, you need to be able to show not just the final report but the process by which it was produced. This means logging the inputs used, retaining the AI draft, and recording what the adviser changed and why. Some back-office systems will handle this natively. Others will require you to document the process manually. Either way, the trail needs to exist.

Fourth, data residency matters. Routing client data through a public AI service introduces a question about where that data is processed and stored. For regulated firms, this is a procurement decision, not just a technical one. Before connecting any AI tool to client data, check where data is processed, whether it is used for model training, and whether the vendor’s terms are compatible with your firm’s data policies and your FCA obligations. [3]

What to do now

If your firm is considering automating suitability report drafting, here is a practical sequence.

1. Map your current inputs. Before choosing any technology, document what data a well-drafted suitability report relies on, where it comes from in your current process, and whether it is consistently recorded. If it is not, fix that first.

2. Review your AI vendor terms before connecting client data. Check data processing locations, retention policies, and whether client data is used to train models. This is a minimum step before any integration, not an afterthought.

3. Start at Level 1. Build and test a structured prompt with real cases. Review the output quality against your existing reports. Identify what the AI gets wrong and why. Most of the time, the answer points back to input quality.

4. Design the review step explicitly. The adviser review is not a formality. Build it into the workflow as a named, documented step, and make clear what the reviewer is checking: accuracy against the client record, appropriate personalisation, and consistency with the advice given.

5. Log everything. The inputs used, the draft produced, the changes made, the reviewer’s name and the date. Consumer Duty’s evidencing expectations apply as much to your process as to your outputs.

The FCA’s current posture on AI

The FCA’s approach to AI in regulated firms has moved steadily from voluntary best practice toward active scrutiny. A joint statement from the FCA and Bank of England has signalled that AI governance for UK-regulated firms is a compliance matter, not just a technology question. [4] The FCA has also noted explicitly that it is reviewing how firms are using third parties, including AI vendors, as part of its supervisory work. [5]

That does not mean automation is problematic. It means the bar for documenting your rationale, your controls, and your oversight arrangements has risen. Firms that can show a well-designed workflow, a documented review process, and a clean audit trail are in a materially better position than firms that have either avoided automation entirely or adopted it without governance.

Intelliflo’s research into hybrid advice models makes a relevant point: technology supports regulatory objectives when it provides consistent, compliant pathways that guide clients through decision points without overwhelming them. [6] That framing applies directly to suitability automation. The goal is not to remove adviser judgement. It is to reduce the mechanical burden so that adviser time goes where it is actually needed.

If automating suitability report drafting is something you are thinking through for your firm, a discovery call with Cordrey Consulting is a practical place to start.

This article is for informational purposes only and does not constitute regulated financial advice or a compliance opinion. Consult a qualified compliance professional for advice specific to your firm.

Sources

  • [1] FCA, Consumer Duty final rules and guidance (PS22/9), 2022. Note: this source is now older than three years and some implementation guidance may have been updated since publication. Sets out the FCA’s requirements for evidencing suitability and good outcomes under Consumer Duty.
  • [2] Google, NotebookLM product documentation and Google Workspace Studio integration announcement, 2026. Vendor-sourced. The sub-1% hallucination figure when constrained to uploaded documents is a vendor claim and has not been independently verified.
  • [3] ICO, Guidance on AI and data protection, 2023. Sets out UK GDPR obligations relevant to using AI systems that process personal data, including data residency and third-party processor requirements.
  • [4] FCA and Bank of England, joint statement on AI governance and operational resilience, 2026. Signals movement from voluntary best practice to active supervisory expectation for AI governance in regulated firms.
  • [5] FCA Publications, commentary on third-party and AI supplier oversight in supervisory context, 2026. Confirms the FCA’s stated intention to review how regulated firms are using AI vendors as part of normal supervisory activity.
  • [6] Intelliflo Insights, research on hybrid advice models and Consumer Duty compliance, 2026. Vendor-sourced research on how technology-supported advice journeys can be structured to meet regulatory requirements.