EU AI Act for Fintech & Banking: Credit Scoring & High-Risk AI
Banks and fintechs run AI across lending, onboarding and fraud — and the EU AI Act (Regulation (EU) 2024/1689) singles some of these out for its toughest tier. AI that evaluates creditworthiness or credit scores for access to essential services is high-risk under Annex III. The obligations bite regardless of where the provider is established, as long as the output is used in the EU.
Is it in scope?
Annex III lists access to essential private and public services, expressly including AI used to evaluate the creditworthiness of natural persons or establish their credit score. Consumer lending decisions are therefore firmly in scope. There is an important carve-out: AI used to detect financial fraud is not high-risk on that basis alone. The classification turns on whether the system determines a person's access to credit, not on the fact that it operates inside a bank.
Typical AI use cases
- Credit scoring and creditworthiness assessment
- Automated loan and mortgage underwriting
- Transaction fraud detection
- Anti-money-laundering monitoring and alerting
- KYC document verification and identity checks
- Robo-advisory and portfolio recommendation
Risk classification
Consumer credit-scoring and creditworthiness systems are high-risk, whether built in-house or licensed. A fintech that develops its own scoring model is the provider and must meet Art. 9–15; a bank deploying a vendor model is a deployer under Art. 26. Fraud detection and AML monitoring generally sit outside the high-risk tier under the fraud-detection nuance — but should still be documented, since the same platform may combine both functions and misclassification is a common compliance gap.
Obligations to prepare for
FAQ
Is our fraud-detection engine high-risk under the AI Act?
Generally no. AI used specifically to detect financial fraud is excluded from the high-risk credit-scoring category. Creditworthiness and credit-scoring systems that gate access to lending, however, are high-risk.
Does credit scoring for businesses count?
The Annex III listing targets the creditworthiness and credit scoring of natural persons. Purely corporate credit assessment falls outside that specific high-risk trigger, though other obligations may still apply.
We licence a third-party scoring model — who is responsible?
The vendor is the provider and bears the design-time duties (Art. 9–15). Your bank or fintech is the deployer under Art. 26, responsible for correct use, human oversight and ongoing monitoring.
Run the free 2-minute risk checker — no sign-up.