Market Analysis: The Mills Review 2026 and the Device Lifecycle
You can stop pedalling, but you can't stop steering…
TL;DR Key Findings:
- First regulator-led review of AI in retail financial services globally, published July 2026, setting FCA direction to 2030 without changing the Handbook.
- Its autonomy spectrum moves the decision from the human handler to the automated system while accountability stays with the firm
- Automated fraud screening meets a real problem, Cifas finding 15% report a false pre-existing-damage claim by themselves or someone they know, but higher autonomy raises the insurer's accountability.
Now that Wimbledon is done for another year and I no longer have an excuse to procrastinate. So this week I’ve taken a dive into the Mills Review. According to the FCA, the review into the impact of AI on retail financial services is the first of its kind initiated by a regulator, globally.1 If you don’t fancy sitting down with all 147 pages, here are some thoughts on a few bits relevant to the device lifecycle and protection sectors…
What it is and what it isn’t
The Mills Review was commissioned by the FCA Board, led by Sheldon Mills, published in July 2026 and examines how AI could reshape financial services by 2030 and beyond. It’s a review, not a rulebook and it sets a direction for the FCA. It does not, in itself, change the FCA Handbook.
The review was scoped to cover retail financial services including advice, credit, insurance, payments, savings, and pensions. It names insurance, underwriting and claims among the functions AI will embed into. Within this Substack’s range of interests, device protection and to some extent, credit broking is of interest and whilst the report says nothing about grading, trade-in valuation or the secondary market more broadly, it’s worth keeping those processes in mind for any associated learning.
The core finding from the review is that AI in financial services will move from human-led and episodic usage to AI-enabled, continuous and delegated usage. The more difficult questions related to consent, accountability, auditability and redress arrive as decisions transition from people to systems. With that in mind, the review offers an “autonomy spectrum” as the framework around which each of the four central findings is wrapped. These are characterised as “System Shifts”: how firms will transform internally as they navigate the autonomy spectrum; how AI will transform customer journeys along the spectrum; what a reshaped competition landscape might look like; and amplified financial crime and cyber risk.
On insurance, the review finds that AI will move cover closer to the point-of-need and automate shopping and claims guidance. On credit, it covers AI-mediated lending decisions, affordability and steering. Within the competition shift, the review sketches out five scenarios for how AI-mediated services might be structured, one of which puts the phone operating system as the default gateway, iOS and Android as the route through which consumers reach financial products.
The review recognises that AI adoption is already material; its own 2026 survey found that 81% of firms are using AI at some level, 40% at a more advanced scaling or transformational level, and around a fifth of consumers, some 11 million UK adults, are likely to use AI that acts autonomously within set goals. The Mills Review closes with seven recommendations to the FCA, led by securing the regulatory perimeter and monitoring the shift to autonomous models.
Given the review covers financial services in general, it’s fair to ask whether any of it reaches the device lifecycle and protection sectors. It does. The regulated activities it governs cluster around a single device, the credit that buys the phone, the insurance that protects it, the claim later decided under that policy. And as AI solidifies the phone’s role in how people transact, the importance of the device, its provenance and its protection rises rather than falls.
Insurance product selection
Applying the Mills Review’s core claim to insurance, as the consumer travels along the autonomy spectrum, insurance buying ceases to be a one-off decision at the point-of-sale and becomes continuous and delegated. Agentic AI brings cover to the point-of-need, compares, recommends, buys and then keeps watching for opportunities to switch to a more appropriate cover for the consumer, within set limits. Selecting cover and the ongoing management becomes one financial activity carried out on the consumer’s behalf. The consequence is delegation. This goes well beyond assistance as the decision moves to the agent within the consumer’s guidance and limits.
Device protection and warranty products are relatively simple with limited variations and acquired almost entirely alongside new device purchases.2 Whether the consumer needs screen cover only, accidental damage or loss and theft is a relatively simple decision, easily delegated to a financial agent. Given the narrow band of sellers, channel selection is unlikely to pose any difficulty transitioning along the autonomy spectrum either and I would expect an AI agent to easily navigate products at point-of-sale, sold independently by direct insurers, as part of a premium bank account or as away-from-home additions to a home and contents policy. This is not life insurance.
Once L4 or L5 maturity is achieved, the important clarification is that delegation is not assistance. Within the set limits, two things stop being the consumer’s to control: what they are shown and what the agent is working towards.
Whoever controls the interface will likely control what is seen and compared and the phone operating system as the default gateway is one of the Review’s five competition scenarios. For a market in which approximately 90% of policies are sold through telco, bank and retail channels, an AI agent gateway is a threat to how cover reaches the customer in the future. Perhaps the operating system or AI agent becomes the intermediary?
Whatever the agent is working towards will presumably align with the consumer’s constraints and we can expect capable agents to weigh benefits and features against price. In fact, the Review assumes agents will match consumers with better products, not worse. So the risk here is not competence. It’s whose objective the agent serves, which the consumer cannot see, and whether relentless price-led shopping thins the products on offer, the FCA’s own general insurance pricing question. In device insurance that thinning has obvious casualties: the excess going up, what counts as accidental damage, whether theft and loss are in at all, cover narrowed while the price falls.
Claims decisioning
Damage and breakdown claims, in general, are straightforward. There’s a notification, the device is returned, it’s inspected to validate the claim, there’s a repair or a replacement, or not, and a device is returned to the customer. In the case of an Advanced Exchange, not necessarily in that order. For a loss or theft claim, there’s no device to inspect and therefore the decision relies on non-physical signals that include things like IMEI checks, network usage stopping, a crime reference number and so on.
Mills separates the rules-based systems and task-specific machine learning models that have long supported fraud detection, i.e. models designed for well-defined tasks that behave predictably once deployed, from the foundation models behind the agentic shift, and asks what changes as decisioning climbs the autonomy spectrum. The Review attaches its harder questions, consent, accountability and redress, to the higher end of that spectrum, so as claims decisioning climbs, the decision moves from the handler to the automated system while accountability for it stays with the insurer. It also flags a governance move, from validating a model at deployment to monitoring it live, because a model tested at deployment can perform differently as, for example, the fraud patterns and consumer behaviour around it change. The Review calls this model drift, as the model's accuracy over time, not just at launch, becomes the supervisory concern.

Back in the real world, there is an actual problem to detect, and attitudes to it are hardening. Cifas, the UK's fraud prevention service, found that 19% of people believed it was legal to claim for pre-existing phone damage on a new policy, which is fraudulent, and that 15% said they or someone they knew had made such a claim in the past year.3 Across first-party fraud generally its surveys track the attitude as well as the act, and the share of UK adults who consider such fraud reasonable rose from 48% to 50% between 2024 and 2025.4 These are attitudes and admitted behaviour rather than a claims-fraud rate, but they describe a permissive and widening backdrop, and they make advancing detection, AI included, a legitimate response rather than mere cost control.
Much of the rules-based groundwork that the Review describes is already in place although at varying levels of effectiveness: Recipero's ClaimsCheck confirms at the point of claim whether a device reported stolen has been barred by the network, whether the serial number matches the device claimed, and whether it has already been sold or is of interest to another insurer.5 The GSMA Device Check6 and Open Gateway features expose network-level checks, flagging a recent SIM swap, a claimant's old SIM appearing in a new device, or a mismatch between the device raising the claim and the one reported lost.7 These are the task-specific checks the Review sets apart from the foundation-model shift, decided against defined rules, and they flag a claim for attention rather than settle it.
For damage claims, automation already reaches the decision itself. EIP's Autoclaim reads a drop from the phone's own sensors, checks the policy history and, where no referral is needed, submits, approves and arranges the repair. EIP describes it as parametric, a defined trigger producing a defined outcome.8 It settles the clean case within rules and refers the rest, which is the established, predictable category the Review contrasts with the agentic shift, not the autonomous judgement the Review is concerned with.
Currently sitting outside all of this is condition. And whilst machine assessment of a device's physical condition is mature, it mostly operates in grading for trade-in and recommerce, a valuation exercise, and not in the claim.9 The capability to judge condition by machine therefore exists and runs daily elsewhere in the device lifecycle; whether it belongs inside the claim decision, bringing newfound legitimacy to the term “like-for-like replacement”, and with what accountability when a foundation model rather than a handler makes the call, is the question the Review's direction of travel leaves open for this sector.
Trade-in
The Mills Review doesn’t cover trade-in which is currently governed by contract, not regulation: the grade sets the price and the contract settles any dispute. That holds whilst grading is a human task, but as grading automates, the decision that sets a device's value comes to rest on the contract and the merchant's chosen grading standard, with no regulatory backstop behind it. Those standards are inconsistent, as Finsur's condition grading analysis set out a few weeks ago, so an increasingly automated decision rests on an increasingly uncertain footing.
Summary
Automation is climbing everywhere across the device lifecycle and protection sectors, but the Review’s questions of accountability and redress follow it only where the activity is regulated. Those deploying AI should recognise that the regulatory perimeter will move as the automation does. A model deployed today will have to answer to that shift tomorrow, and building it to explain and stand behind its decisions from the start is easier than retrofitting that later. The Review looks to 2030 and beyond, and the next move is the FCA’s as it weighs its seven recommendations. Nothing changes for the sector tomorrow. Tour de France anyone?
Peace,
sb.


