EU AI Act for Banking: High-Risk Credit Scoring & the Fraud-Detection Nuance
Banks run AI across lending, onboarding, fraud and advice — and the EU AI Act (Regulation (EU) 2024/1689) reserves its toughest tier for the decisions that gate access to credit. AI that evaluates the creditworthiness or credit score of consumers is high-risk under Annex III. The obligations apply wherever the model is built, provided its output is used in the EU market.
Is it in scope?
Annex III(5)(b) covers AI used to evaluate the creditworthiness of natural persons or establish their credit score, which places consumer lending decisions firmly in the high-risk tier. The listing contains an explicit carve-out: AI used to detect financial fraud is not high-risk on that basis. Classification therefore turns on function — whether the system determines access to credit — not merely on operating inside a bank. Separately, biometric identity checks at onboarding may engage Annex III(1), and any life or health insurance sold through the bank engages Annex III(5)(c).
Typical AI use cases
- Consumer credit scoring and creditworthiness assessment
- Automated loan and mortgage underwriting
- Transaction fraud detection
- Anti-money-laundering monitoring and alerting
- Biometric identity verification at onboarding
Risk classification
Consumer credit-scoring and creditworthiness systems are high-risk, whether developed in-house or licensed. A bank that builds its own model is the provider (Art. 9–15); a bank deploying a vendor model is a deployer under Art. 26. Data governance and bias mitigation under Art. 10 are especially load-bearing given discrimination risk in lending. Fraud detection and AML monitoring sit outside the high-risk credit listing under the fraud carve-out, but should be documented since combined platforms blur the boundary. Corporate (non-natural-person) credit assessment falls outside this specific trigger.
Obligations to prepare for
Your exact duties also depend on whether you build or use the AI. See obligations by operator role — provider, deployer, importer, distributor or GPAI provider.
FAQ
Is our fraud-detection engine high-risk?
Generally no. AI used specifically to detect financial fraud is expressly excluded from the high-risk credit-scoring category under Annex III(5)(b). Systems that assess creditworthiness and gate access to lending, by contrast, are high-risk.
Does credit scoring for corporate clients count?
The Annex III listing targets the creditworthiness and credit scoring of natural persons. Purely corporate credit assessment falls outside that specific high-risk trigger, though other obligations and prudential rules may still apply.
We licence a third-party scoring model — who is responsible?
The vendor is the provider and carries the design-time duties under Art. 9–15. Your bank is the deployer under Art. 26, responsible for correct use, meaningful human oversight and ongoing monitoring of the model in practice.
Run the free 2-minute risk checker — no sign-up.