📕 LLM Security: 50+ Adversarial Probes you need to know.
Download the guide
Knowledge
Blog
December 30, 2025
4 min read
Blanca Rivera Campos

When AI financial advice goes wrong: ChatGPT, Copilot, and Gemini failed UK consumers

In November 2025, ChatGPT, Microsoft Copilot, Google Gemini, and Meta AI were caught giving UK consumers dangerous financial advice: recommending they exceed ISA contribution limits, providing incorrect tax guidance, and directing them to expensive services instead of free government alternatives. In this article, we analyze the UK incident, explain why these chatbots failed, and show how to prevent similar failures in your AI systems.
When AI financial advice goes wrong: ChatGPT, Copilot, and Gemini failed UK consumers

A UK consumer asked ChatGPT for ISA contribution advice. The chatbot confidently recommended exceeding legal limits, advice that could trigger HMRC penalties. In November 2025, major AI chatbots including ChatGPT, Microsoft Copilot, Google Gemini, and Meta AI were caught providing dangerous financial guidance to British users.

General-purpose AI chatbots (systems trained to handle everything from recipe suggestions to code debugging) are being asked to navigate complex, regulated domains like personal finance. Without domain-specific safeguards, these systems hallucinate plausible-sounding answers that can cost users thousands in penalties, lost contributions, and unnecessary insurance purchases.

In this article, we analyze the AI incident in the UK, explain why these chatbots failed, and how to test AI agents before they give advice that costs users money.

The AI chatbot failure: What happened

Several prominent AI chatbots produced incorrect and potentially harmful financial advice for UK consumers. The failures included:

  • ISA limit violations: Systems advised users to exceed annual Individual Savings Account contribution limits, which could result in HMRC penalties and loss of tax benefits
  • Misleading tax guidance: Chatbots provided inaccurate information about tax declaration rules and obligations
  • Unnecessary insurance recommendations: Users were directed to purchase travel insurance for scenarios where coverage wasn't legally required
  • Expensive service referrals: Instead of mentioning free tax refund services provided by HMRC, chatbots guided users to paid third-party refund services

{{cta}}

Hallucination in General-Purpose LLMs

This is a hallucination failure, a common limitation of current large language models. These chatbots generate responses by predicting likely word sequences based on training data, not by retrieving verified facts from authoritative sources. When asked about UK financial regulations, the models fabricate confident-sounding answers that mirror the structure and tone of legitimate advice without checking regulatory accuracy.

The technical mechanism is straightforward: Users simply asked these general-purpose chatbots for financial advice. No sophisticated attack was required. No guardrails were bypassed. The systems failed in their default operating mode because:

  1. They lack access to up-to-date, jurisdiction-specific financial regulations
  2. They have no mechanism to refuse providing guidance in regulated domains
  3. They cannot distinguish between general information and advice that requires professional licensure

The cost of AI chatbot failures in financial services

Impact on users

The consequences for UK consumers who trusted these chatbots were:

Financial harm: Users who follow this advice face direct monetary losses. Exceeding ISA contribution limits can result in penalties from HMRC, forced withdrawal of excess contributions, and permanent loss of that year's contribution allowance. Following incorrect tax advice can lead to underpayment penalties or overpayment with no recourse for recovery.

Erosion of trust: These chatbots are marketed with terms like "intelligent," "helpful," and "reliable." When users discover the advice was wrong, they lose confidence not just in AI tools but in digital financial guidance broadly. This damages what researchers call "epistemic integrity": the public's ability to trust any information source.

No accountability: Unlike licensed financial advisors subject to regulatory oversight and professional liability, AI chatbot providers operate in a regulatory gray zone. Users cannot easily seek compensation for losses stemming from bad AI advice. There's no professional standards body to file complaints with, no insurance to cover damages.

Risks for AI providers

This incident also puts AI providers in the crosshairs of regulators, customers, and markets:

Regulatory exposure: Companies deploying these systems face mounting legal risk. In the UK, providing financial advice without authorization violates Financial Conduct Authority rules. While current regulations don't explicitly address AI-generated advice, regulators are watching these incidents closely. The EU AI Act and similar frameworks are beginning to establish liability for high-risk AI systems.

Reputational damage: Each publicized AI failure becomes a case study in why enterprises hesitate to deploy generative AI in customer-facing roles. For companies building AI products for financial services, these incidents validate the concerns of risk-averse decision-makers.

Systemic impact: If millions of users rely on AI for financial decisions, small systematic errors compound into macro-economic disruptions: tax revenue shortfalls from widespread mis-reporting, distortions in insurance markets from unnecessary policy purchases, or oversubscription of tax-advantaged accounts forcing government intervention.

How to prevent AI failures in financial advice systems

For general-purpose chatbot users

Users should verify all financial information provided by AI chatbots. Never act on advice regarding taxes, investments, insurance, or legal obligations without consulting licensed professionals or official government sources. General-purpose AI tools are not designed for regulated advice.

For organizations building financial AI agents

The solution isn't to avoid AI in financial services, but to test rigorously before deployment. Reactive monitoring detect failures only after users are harmed. What financial services need is proactive red teaming: systematically attacking your AI agent with edge cases, adversarial prompts, and domain-specific scenarios before real users encounter them.

Giskard provides automated testing infrastructure to detect these failures. The platform generates test cases targeting both security vulnerabilities (prompt injection, data leakage) and business logic failures (hallucinations, inappropriate advice). It validates that your agent behaves correctly and refuses to operate outside its authorized scope.

Automated LLM vulnerability scanning

Giskard's LLM vulnerability scanner stress-tests your agent with adversarial probes designed to expose weaknesses before malicious actors do. For financial AI agents, the scanner runs targeted attacks including:

  • Unauthorized advice probes: Generate requests for financial recommendations, investment guidance, and tax counseling to verify your agent refuses to provide advice outside its authorized scope
  • Hallucination detection probes: Test whether your agent fabricates contribution limits, tax rules, or regulatory requirements when asked about financial topics
  • Misinformation probes: Attempt to manipulate your agent into spreading false claims about ISA rules, tax refund services, or insurance requirements
Giskard Hub - Unauthorized advice probe

The scanner automatically generates hundreds of test cases tailored to your agent's domain, uncovering failure patterns you wouldn't discover through manual testing. Each probe simulates real attack scenarios.

Business logic validation

Beyond security vulnerabilities, Giskard validates that your agent behaves in the authorised scope:

Conformity checks ensure agents respect business boundaries. For a financial services agent, you implement rules like:

  • "The agent should not provide financial advice"
  • "The agent should not guide users on tax declaration"
  • "The agent should refer users to licensed professionals for investment guidance"

These checks validate that agents refuse questions outside their authorized scope. When a user asks "Should I max out my ISA?", a properly tested agent responds: "I can't provide personalized financial advice. For questions about ISA contribution limits and tax implications, please consult a licensed financial advisor or visit gov.uk for official guidance."

Giskard Hub - Conformity check

Groundedness checks verify agent responses are anchored to authoritative sources. For financial agents with access to regulatory documentation, Giskard ensures:

  • Responses cite specific regulatory sources (HMRC guidance on ISA rules)
  • Claims about contribution limits match official documentation
  • Tax advice reflects current year regulations, not outdated information

Conclusion

The UK incident exposes a gap in AI deployment: ChatGPT, Copilot, Gemini, and Meta AI all failed when asked about UK financial regulations. No sophisticated attack was needed. Users simply asked for ISA guidance and received advice that could trigger HMRC penalties.  Hallucinations in regulated domains aren't edge cases, they're predictable failures that occur during normal operation when general-purpose chatbots are asked questions requiring domain expertise and regulatory compliance.

Organizations deploying AI in financial services must shift from reactive monitoring to proactive testing. Discovering failures in production, through user complaints, regulatory audits, or media investigations, is too late. By the time issues surface, users have already suffered financial harm and trust is damaged.

Giskard enables this shift. Rather than hoping your AI agent will refuse inappropriate requests or always ground responses in factual data, you verify these behaviors before they occur. The platform converts discovered vulnerabilities into permanent regression tests, ensuring fixes remain effective as agents evolve.

Ready to test your AI agents before they fail in production? Book a demo to see how Giskard detects hallucinations, validates business logic, and prevents costly AI failures.

Continuously secure LLM agents, preventing hallucinations and security issues.
Book a Demo

You will also like

Beyond sycophancy: The risk of vulnerable misguidance in AI medical advice

Healthcare employees in Hyderabad have noticed a disturbing direction in self-doctoring: two of their patients relied on generic AI chatbot advice for their healthcare interventions, and some of them suffered serious medical consequences. Two recent cases demonstrate the vulnerability of misguidance to a subtle risk in deployed agents, which can allow the agent to be harmful by encouraging harmful behaviour.

View post
Phare LLM benchmark V2: Reasoning models don't guarantee better security

Phare LLM benchmark V2: Reasoning models don't guarantee better security

Phare (Potential Harm Assessment & Risk Evaluation) is an independent, multilingual benchmark designed to evaluate AI models across four critical dimensions, or “modules”: hallucination, bias, harmfulness, and vulnerability to jailbreaking attacks. This second version expands our evaluation to include reasoning models from leading providers, allowing us to assess whether these advanced systems represent a meaningful improvement in AI safety.

View post
OWASP top 10 for agentic applications 2026

OWASP top 10 for agentic applications 2026: Understanding the risks of agents and tools

The Top 10 for Agentic Applications, released in December 2025, lists the highest-impact threats to autonomous AI agentic applications, systems that plan, decide, and act across tools and steps. It distills the top threats in a practical manner, building directly on prior OWASP work while highlighting agent-specific amplifiers, such as delegation and multi-step execution. The list pivots from passive LLM risks to active agent behaviors. Agents are treated as principals with goals, tools, memory, and inter-agent protocols as distinct attack surfaces.

View post
Get AI security insights in your inbox