Regulators warn firms on AI cyber, the FCA flags Consumer Duty teeth, and asbestos turns up in a doorstop

A quieter week with one strategic story for anyone who cares about how AI shows up in financial services. The FCA, Bank of England and HM Treasury jointly published a statement on Thursday warning regulated firms that frontier AI cyber capabilities now exceed what a skilled human attacker can do, at greater speed, greater scale and lower cost. That sits alongside last Friday's Which? story citing the FOS Chief Operating Officer that up to a third of recent complaints appear AI-generated, with some running to 200+ pages of fake laws and made-up rulings. Two halves of the same problem.

Plus an FCA blog post quietly reminding lenders that the Consumer Duty has teeth and they will use them, fresh British Gas compensation tiers in the £40 to £1,000 range, and a notably long list of product recalls including a Dunelm doorstop range that has been pulled because the sand inside contains asbestos.

Here's what changed and what to do about it.

1. UK regulators told banks to prepare for AI-driven attacks

On 15th May the FCA, the Bank of England and HM Treasury published a coordinated statement on what they call "frontier AI models and cyber resilience". The framing is unusually direct. They wrote that current frontier AI cyber capabilities "are already exceeding what a skilled practitioner could achieve, and at a significantly higher speed, greater scale, and lower cost".

The statement doesn't introduce new rules. It restates existing operational-resilience expectations across five domains (governance and strategy, vulnerability management, third-party risk, protection, and response and recovery) and tells boards they need to understand frontier AI risk well enough to set strategic direction on it. Firms that have under-invested in cyber fundamentals are explicitly told they are now sitting on a board-level governance failing.

For consumers, this matters for one specific reason. If your bank, insurer or investment platform suffers a data breach or fraud loss after 15th May 2026 that traces back to an AI-enabled attack, this joint statement strengthens the regulator-set bar for "reasonable security" under UK GDPR Article 32 and under the Consumer Duty. The chain is short: regulators have told firms what was expected; firms either did it or didn't; if they didn't, the case for an Article 82 distress claim and for a Consumer Duty complaint gets stronger.

What to do if it affects you: if you receive a data-breach notification from a UK financial firm between now and the end of the year, keep it. Document any anxiety, time spent on credit-file monitoring, time spent changing passwords and any actual financial loss. If you've already had a breach notification this year, the same applies retrospectively. Article 82 compensation isn't capped at the date of the notification.

2. The FCA's quietest enforcement signal of the week

On 14th May, Charlotte Clark, the FCA's Director of cross-cutting policy and strategy, published a blog called Supporting customers through challenging times. On the surface it reads as a friendly reminder. Read carefully, and it's an enforcement signal.

The blog explicitly cites PS24/2, the policy statement on strengthening protections for borrowers in financial difficulty that came into force in November 2024, and applies it to current cost-of-living pressures, including utility, food and fuel prices that the FCA links to ongoing Middle East tensions. It sets four pillars: products and services need to keep meeting customer needs as circumstances change; price and value need continuous monitoring with charges reduced, value improved or products withdrawn where fair value is gone; consumer understanding must be clearer, more prominent and more timely (with explicit anticipation of customers exiting 5-year fixed-rate mortgages); and consumer support must be accessible, staffed for vulnerability recognition and willing to discuss repayment arrangements.

The closing line: "We will use our supervisory and, where appropriate, enforcement powers when we see poor outcomes or inadequate action."

What to do if it affects you: if you've been refused forbearance, asked to pay an excessive fee while in financial difficulty, or kept on hold for hours when trying to discuss a payment plan, you now have a fresh and senior FCA citation to quote in a Consumer Duty complaint. If your mortgage fix is ending in the next six to twelve months, you can also write to your lender now and ask, in writing, what proactive support they intend to offer when the new rate takes effect. The blog says they should be ready for this.

3. British Gas compensation tiers are now public

MoneySavingExpert and Citizens Advice continued to lead with the British Gas prepayment-meter settlement this week. The new detail is the compensation tier table:

• Process issues: £40 to £60
• Insufficient debt support: £250
• Unfair treatment: £250
• Vulnerability overlooked: £500
• Inappropriate meter installation: £1,000

That's on top of £20m British Gas has paid into Ofgem's redress fund. The Ofgem deadline for British Gas to identify and pay all eligible customers from the 2018 to 2021 window is 30th June 2027. Customers don't need to take the first step (BG will contact you), but the obvious risk is that contact never arrives. Former customers will be paid by cheque.

Eight other suppliers (Ecotricity, EDF, E.on Next, Good Energy, Octopus, Scottish Power, Tru Energy and Utility Warehouse) were already ordered in 2025 to pay a combined £5.6m compensation plus £13m of debt write-offs to 40,000 customers for similar conduct.

What to do if it affects you: if you had a prepayment meter installed by British Gas between 2018 and 2021 and you haven't heard from them in the next 90 days, that's the point to start chasing. Same logic applies if you were a vulnerable customer of any of the other eight named suppliers in 2022 to 2023.

4. Seven product recalls, including asbestos in a doorstop

Which? refreshed its 2026 product recall listing on 15th May. Seven new entries are worth noting:

• Dunelm Novelty Doorstops: multiple designs, withdrawn because the sand used as filler contains asbestos. Return to Dunelm for refund. The highest-severity item in the batch.
• Yaheetech Barrel Chair (model 592191) and Sofa Bed (model 615825): failing UK furniture flammability standards. Stop using immediately and contact Monumart Ltd on 01473 744360.
• Babysense Max View Baby Monitor (VBM55RX): fire risk from battery overheating. Register at support.recallsecure.com for replacement.
• Build-A-Bear Heartwarming Hugs Bear 2 (model 434464): choking risk from a detachable zipper. Sold between 21st January and 6th March 2026. Contact 0800 037 9782.
• BHS Mattress Enhancers (Lyocell and Plush variants): failing flammability standards. Email helpdesk@cascadehl.com for return.
• 3D Printed Dragon Fidget Toy (Y1522-BlackGold) sold on eBay: choking risk. Contact the eBay seller.
• Hobbycraft 3D Pen Kit (3666085950462): burns risk from overheating nib.

Separately, the Food Standards Agency announced on 16th May that Filippo Berio UK Hot Chilli Pesto has been recalled because of undeclared fish. Unsafe for anyone with a fish allergy.

What to do if it affects you: if you own any of these, stop using and follow the contact details above. If you bought through an online marketplace and the seller is unresponsive or overseas, you may have a separate route under the Digital Markets, Competition and Consumers Act 2024, which extends marketplace-operator duties to recalls. If you have already had an allergic reaction or an injury caused by one of these products, the route stops being about a refund and starts being about personal injury. Speak to a solicitor, not a complaint platform.

5. The thing nobody else wrote about this week

The two regulator stories above join up if you look at them sideways. On one side, the FCA is telling firms to defend against AI-driven attacks. On the other, the FOS COO is telling consumers not to use vanilla AI to draft complaints. Both stories are about the same underlying mistake: treating a general-purpose large language model as a serious adult tool when it is, today, neither secure enough to attack your bank with nor disciplined enough to write a complaint that an ombudsman will respect.

Consumer-side AI tools that work for disputes need verified citations, length governors, an evidence layer, a human-readable audit trail, and a refusal to invent law. That is the gap consumer-side AI should fill this year. We'll have more to say on that in a separate post next week.

This is a weekly digest. None of this is legal advice; it's a summary of public news and regulator guidance with practical pointers. If you have a live consumer dispute and want a hand structuring it, start a free EvenStance case.