UK to warn banks over Anthropic AI finding system flaws

UK regulators will warn banks, insurers and exchanges within two weeks after Anthropic’s Claude Mythos Preview flagged thousands of high-severity software vulnerabilities. Officials from the Bank of England, the Financial Conduct Authority, HM Treasury and the National Cyber Security Centre are reviewing risks to Britain’s financial infrastructure.

Regulators have placed the issue on the agenda for the next meeting of the Cross Market Operational Resilience Group (CMORG). The group, co-chaired by Duncan Mackinnon of the Bank of England and David Postings of UK Finance, includes senior representatives from major banks, financial infrastructure providers, insurers and government agencies.

Anthropic released Claude Mythos Preview to a limited set of customers last week and reported the system found “thousands of high-severity vulnerabilities, including some in every major operating system and web browser,” with some weaknesses present for decades. Officials are assessing whether those findings could be used to exploit payment systems, trading venues or insurance networks.

David Raw, managing director for resilience at UK Finance, acknowledged the press reports and noted, “We are aware of the press reports on the Anthropic AI development and the risks highlighted.” He added that UK Finance works with its members and through public/private partnerships on operational risks that could affect sector resilience.

UK authorities are coordinating with international counterparts. In the United States, Treasury officials have summoned leaders from major Wall Street banks to discuss similar concerns about AI tools that can surface software vulnerabilities.

Anthropic cautioned that such capabilities could spread beyond actors committed to safe deployment and warned, “the fallout for economies, public safety, and national security could be severe.” Regulators are evaluating both the technical severity of the flaws and how broader access to similar tools could change the threat landscape.

If regulators judge the risk urgent, CMORG can escalate the matter. The Bank of England can also convene the Cross Market Business Continuity Group within one to two hours in response to an immediate threat; that group has not been called in this case.

Separately, a major AI firm has paused plans for a large UK data center project, citing the need for affordable energy and clearer regulation before committing to long-term infrastructure investment. The company said it sees potential in the UK and will proceed when conditions allow.

Lawmakers are considering changes to copyright rules that could affect how firms train models on creative works. Regulators and industry working groups will carry out technical reviews and discussions over the coming fortnight to map exposure and consider defensive steps.