A French bank or insurer that deploys AI answers to two sets of expectations at once. The binding EU regimes set the floor: the EU AI Act, DORA, and the EU AML Regulation. On top of them sits the ACPR (Autorité de contrôle prudentiel et de résolution), France's prudential supervisor for banks and insurers, which has published its own expectations for how AI in finance should be governed. The two layers converge on the same demands in different vocabulary: documented and representative data, demonstrable performance, stable behaviour over time, and explanations an examiner can reproduce. This guide maps the ACPR's framework onto the binding regimes for the three AI systems a French bank is most likely to run in 2026 — consumer credit scoring, AML transaction monitoring, and card-payment fraud detection. For the pan-EU, regime-led view that sits underneath the French lens, see governing AML and payments agents; this piece covers how that lands for an ACPR-supervised institution.
Who the ACPR is and what it supervises
The ACPR — Autorité de contrôle prudentiel et de résolution — is France's prudential supervisor for banks and insurers. It is an independent administrative authority backed by the Banque de France, which provides its staff and operational means (ACPR). Its mandate runs across three strands: prudential soundness, anti-money-laundering and counter-terrorist-financing (AML-CFT, in French LCB-FT — lutte contre le blanchiment de capitaux et le financement du terrorisme), and the protection of customers and policyholders.
On AML-CFT the ACPR monitors French institutions' compliance with their national and EU obligations, conducts on-site and off-site inspections, and can impose administrative sanctions through its Sanctions Committee for breaches. That supervisory and sanctioning posture is the lens through which any AI system touching financial crime is examined in France. A second role is taking shape under the EU AI Act: France's draft designation scheme proposes the ACPR as the market-surveillance authority for financial-sector high-risk AI, a designation still pending adoption that the credit-scoring section below sets out in full.
The ACPR's four AI evaluation criteria
In June 2020 the ACPR published a discussion document, Governance of Artificial Intelligence in Finance, building on exploratory work it launched in March 2019 with financial-sector participants across three use cases: AML-CFT, internal models (specifically credit scoring), and customer protection (ACPR publication). Two cross-cutting themes carried through that work: the evaluation of AI algorithms and their governance.
The document sets out four interdependent evaluation criteria for any AI algorithm used in finance: appropriate data management, performance (predictive accuracy), stability over time, and explainability (the availability of valid explanations). It pairs the criteria with governance expectations covering human/algorithm interaction, initial and continuous validation, and audit conducted on both analytical and empirical grounds.
This is a discussion and consultation document. It states the supervisor's expectations and carries the weight of supervisory guidance; the binding instruments are the EU AI Act, DORA and the AMLR. The practical reading is to treat the four criteria as the standard a French institution will be examined against, layered on top of those regimes. The table maps each criterion to a control and to the evidence an examiner can request.
| ACPR criterion (2020) | What the supervisor expects | Control to implement | Evidence to retain |
|---|---|---|---|
| Data management | Representative, documented, quality-controlled training and input data | Data lineage and quality gates aligned to AI Act Article 10; representativeness and proxy-variable review | Data documentation, quality metrics, lineage logs, Annex IV references from the provider |
| Performance | Demonstrable, monitored predictive accuracy | Accuracy thresholds, backtesting, champion/challenger benchmarking | Validation reports, performance dashboards, backtest results |
| Stability | Behaviour stable over time and across populations | Drift monitoring (e.g. population stability index), defined retraining triggers | Drift-monitoring logs, retraining records, alert history |
| Explainability | Valid explanations scaled to the audience and the risk | Reason codes for declines (observation/justification); model card and feature attribution for the second line (approximation); reproducible pipeline for auditors (replication) | Per-audience explanation artifacts, adverse-action reason codes, reproducible model package |
Explainability the ACPR's way: four levels
Explainability under the ACPR framework has internal structure. The supervisor defines four levels of explanation, scaled to the audience and the business risk of the decision: observation, justification, approximation, and replication (Télécom Paris analysis).
The point of the scale is to match the depth of explanation to who is asking and how consequential the decision is. A retail borrower gets an observation-level account of what the system does and what it is for; the specific reason a loan was declined sits one level up, at justification. An auditor or the ACPR can demand replication, the ability to reproduce the model's behaviour identically. Designing for replication from the outset is what lets a bank answer a supervisor with the model package already in hand.
| Level | Primary audience | What it delivers |
|---|---|---|
| Observation | Customer / end user | A plain-language account of what the system does and what it is for |
| Justification | First-line / internal control | The reason a decision came out as it did, such as why a loan was declined |
| Approximation | Second-line / compliance | A simplified surrogate that approximates the model's behaviour |
| Replication | Auditors and supervisors (incl. the ACPR) | The ability to reproduce the model's behaviour identically |
Where the EU AI Act bites: credit scoring is high-risk
The EU AI Act reaches a French bank most directly through credit scoring. Annex III point 5(b) classifies as high-risk any "AI systems intended to be used to evaluate the creditworthiness of natural persons or establish their credit score, with the exception of AI systems used for the purpose of detecting financial fraud" (Annex III). Point 5(c) adds AI used for risk assessment and pricing in life and health insurance. A consumer-credit-scoring model therefore lands in high-risk scope, and a French insurer pricing life or health cover does too.
A deployer of a high-risk credit-scoring system must complete an Article 27 Fundamental Rights Impact Assessment before deployment and, under Article 27(3), notify the market-surveillance authority of the results, submitting the filled-out template. The six required FRIA components and the full method live in the FRIA template; the worked credit-scoring FRIA fills all six sections for exactly this case, and the high-risk classification guide and the risk classifier walk the Annex III logic that puts the model in scope.
In France the market-surveillance authority for financial-sector high-risk AI is intended to be the ACPR itself. The government's designation scheme (draft published 9 September 2025) proposes a sector split: the DGCCRF as the coordinating single point of contact under Article 70, the CNIL as de-facto lead for personal-data and biometric AI, with Arcom, ANSSI, and the ACPR taking audiovisual, cybersecurity, and financial-sector AI respectively (designation analysis). As of June 2026 France has not finally designated its national competent authorities; the scheme remains pending parliamentary adoption. Treat the ACPR-as-MSA designation as proposed. The EU AI Act applies directly regardless of which national authority is named.
A credit decision taken solely by automated means also engages GDPR Article 22, which gives the applicant a right to human review, a route to contest the decision, and meaningful information about the logic involved. Article 27(4) lets the FRIA complement and build on the GDPR DPIA, so a French bank can run the two assessments together. One timing point applies to the FRIA itself: the Article 27 obligation is binding from 2 August 2026 until the Digital Omnibus (provisionally agreed around 7 May 2026) is published in the Official Journal, which would defer stand-alone Annex III high-risk to 2 December 2027. The Omnibus is not yet law as of June 2026, so the prudent basis is to keep preparing for 2 August 2026.
AML, fraud and the carve-out
AML monitoring and fraud detection are governed differently from credit scoring. The Annex III 5(b) carve-out reaches only a system whose main intended use is detecting financial fraud, so a standalone card-payment fraud-detection model is not high-risk on that basis. The Commission's draft guidelines on high-risk classification (published 19 May 2026, in public consultation until 23 June 2026, not yet adopted) read the carve-out narrowly: it does not cover a fraud-detection feature bundled into a creditworthiness system, which stays high-risk, and it does not extend to AML/CFT checks. A standalone AML/CFT transaction-monitoring system is not creditworthiness evaluation and is not otherwise listed in Annex III, so it sits outside high-risk scope; an AML/CFT system that is functionally linked to and also used for credit scoring falls within point 5(b) and is high-risk.
Outside the AI Act, both systems remain firmly governed. DORA, the AMLR, the ACPR's LCB-FT supervision, and the Wolfsberg AI/ML principles apply, and the pan-EU detail on those regimes is in the hub post, governing AML and payments agents. For a French institution the ACPR is the supervisor enforcing the LCB-FT obligations, with on-site and off-site inspection and the power to impose administrative sanctions. The AMLR, which applies from 10 July 2027, sharpens the evidence demand: its Article 69 requires an obliged entity to answer a financial intelligence unit's request for information within five working days, shortened to under 24 hours in justified urgent cases. In France the FIU is Tracfin and a suspicious-activity report is a déclaration de soupçon. An alert-triage agent that auto-clears false positives has to leave a trail an examiner can reconstruct against that clock. The AML risk assessment tool and the AMLR 2027 readiness checklist cover the underlying obligations.
DORA: operational resilience for AI in French banks
DORA, the Digital Operational Resilience Act (Regulation (EU) 2022/2554), entered into force on 16 January 2023 and has applied since 17 January 2025. It is the regime most likely to bite a French bank's AI today, because it is already in force and reaches both the systems and the vendors behind them.
A cloud or AI/ML vendor generally falls within DORA's broad Article 3 definition of an ICT third-party service provider. The obligations stay with the financial entity: pre-contractual due diligence on the vendor, maintaining the register of information on all ICT arrangements (Article 28), and reporting major ICT incidents (Article 19). An AML, sanctions, credit-decisioning, or fraud system can qualify as a critical or important function under Article 3(22) through a documented, entity-specific self-assessment. Where it meets that test, the AI behind it is in DORA scope at full weight. The ACPR supervises DORA readiness for French banking and insurance entities, and the DORA Article 30 tool covers the third-party contractual clauses the register has to reflect.
A governance map for a French bank
Take Banque Méridienne, a mid-size French universal bank supervised by the ACPR. In 2026 it deploys three AI systems: an AI consumer-credit-scoring model for personal-loan and revolving-credit decisions; an AI AML transaction-monitoring and alert-triage agent that clears false positives and drafts déclaration de soupçon narratives for Tracfin; and an AI card-payment fraud-detection model that blocks or holds suspicious card transactions in real time. The Head of Compliance has to govern all three against ACPR expectations, the EU AI Act, DORA and the AMLR at the same time. The three systems do not land in the same place under the AI Act.
Classification separates them immediately.
| AI system | EU AI Act classification | Article 27 FRIA? | Governing regimes that still bite |
|---|---|---|---|
| Consumer credit scoring | High-risk — Annex III 5(b) | Yes — deployer FRIA before deployment; notify the ACPR (MSA) under Art 27(3) | AI Act Arts 10/13/14/15/26; GDPR Art 22; ACPR model governance |
| AML transaction monitoring / alert triage | Usually not standalone high-risk (draft Commission guidance, 19 May 2026, not adopted; high-risk if linked to credit scoring) | No | DORA; AMLR/AMLD6; ACPR LCB-FT supervision; Wolfsberg |
| Card-payment fraud detection | Not high-risk — standalone fraud detection (Annex III 5(b) carve-out) | No | DORA; ACPR model risk / outsourcing; GDPR |
Expectation, control, evidence across credit, AML and fraud
Classification sets the AI Act duties, and the binding regimes plus the ACPR's own expectations fill in the rest. The map below states each regulatory expectation, the control that satisfies it, and the evidence an examiner can ask for across Banque Méridienne's three systems. The same control-and-evidence discipline holds whichever system is in front of you, which is why a single mapping works. The control-mapping view shows how one control can satisfy several frameworks at once.
For Banque Méridienne the practical sequence is to run the Article 27 FRIA on the credit model and notify the ACPR, classify each of the three systems for DORA criticality, keep the AML trail reconstructable to the Tracfin and Article 69 clocks, and document independent validation of all three against the ACPR's four criteria before go-live.
| Regulatory expectation (source) | Control to implement | Evidence to retain |
|---|---|---|
| FRIA before deployment for credit scoring (AI Act Art 27) | Complete the six-part Article 27(1) FRIA; complement and reuse the GDPR DPIA per Art 27(4); notify the ACPR of the results per Art 27(3) | Completed FRIA, DPIA cross-reference, dated notification record to the ACPR |
| High-risk deployer duties for credit scoring (AI Act Arts 10/14/15/26) | Verify provider conformity (Annex IV), keep automatic logs (Art 26), enable human override (Art 14) | Provider declaration and Annex IV, deployer logs, override records |
| Automated-decision safeguards (GDPR Art 22) | Human review of declines, contestation route, meaningful information about the logic | Adverse-action reason codes, human-review records, contestation log |
| AML-CFT supervision (ACPR LCB-FT today; AMLR Art 69 five-working-day FIU response, applies 10 Jul 2027) | Human adjudication of SAR decisions; auditable alert-triage trail; ability to reconstruct any decision on demand | Case files, decision trail, SAR/Tracfin records, FIU-response timestamps |
| Operational resilience (DORA Reg 2022/2554, since 17 Jan 2025) | Classify AML/credit/fraud AI as critical or important ICT function where it meets Art 3(22); maintain the ICT register (Art 28); report major incidents (Art 19); due-diligence the AI vendor | Register of information, criticality assessment, incident reports, vendor due-diligence |
| ACPR model governance (Governance of AI in Finance, 2020) | Independent initial validation before go-live and periodic revalidation; defined human/algorithm interaction and RACI; analytical and empirical audit | Validation sign-offs, revalidation schedule, oversight policy, audit findings |
| Fraud detection not high-risk (Annex III 5(b) carve-out) | The carve-out removes the FRIA and leaves model risk in place: keep monitoring, drift control, and human review of holds | Model inventory entry, performance and drift logs, false-positive review |
Frequently Asked Questions
What is the ACPR and what does it regulate?
The ACPR (Autorité de contrôle prudentiel et de résolution) is France's prudential supervisor for banks and insurers, an independent administrative authority backed by the Banque de France. It supervises prudential soundness, anti-money-laundering and counter-terrorist-financing (AML-CFT / LCB-FT), and customer and policyholder protection, with powers to inspect institutions and to impose administrative sanctions.
What does the ACPR expect for AI governance in finance?
In its June 2020 discussion document Governance of Artificial Intelligence in Finance, the ACPR set out four interdependent evaluation criteria — appropriate data management, performance, stability, and explainability — alongside governance expectations covering human/algorithm interaction, initial and continuous validation, and audit. It is supervisory guidance rather than binding law, and it frames how French institutions are examined.
Is the ACPR the AI Act authority for AI in French banks?
Under France's designation scheme (draft published 9 September 2025), the ACPR is intended to be the market-surveillance authority for financial-sector high-risk AI (credit and insurance), alongside the DGCCRF as coordinating contact point and the CNIL for personal-data and biometric AI. The designation was still pending parliamentary adoption as of June 2026, so treat it as proposed rather than settled.
Is AI credit scoring high-risk under the EU AI Act, and does it need a FRIA?
Yes. AI used to evaluate creditworthiness or set a credit score is high-risk under Annex III point 5(b), and the deployer must complete an Article 27 Fundamental Rights Impact Assessment before deployment and notify the market-surveillance authority (in France, the ACPR) of the results under Article 27(3). The one exception in 5(b) is AI whose main intended use is detecting financial fraud; a fraud-detection feature bundled into a credit-scoring system stays high-risk.
Are AML transaction-monitoring AI systems high-risk under the AI Act?
Usually not on their own. A standalone AML/CFT transaction-monitoring system is not creditworthiness evaluation and is not otherwise listed in Annex III, so it sits outside high-risk scope. The Commission's draft guidelines on high-risk classification (19 May 2026, in consultation, not yet adopted) add a caveat: an AML/CFT system functionally linked to and also used for credit scoring falls within Annex III point 5(b) and is high-risk, and the fraud-detection carve-out does not extend to AML/CFT checks. AML systems remain governed by DORA, the AML Regulation (applies 10 July 2027), the ACPR's LCB-FT supervision, and the Wolfsberg AI/ML principles.
How does DORA apply to AI in French banks?
DORA (Regulation (EU) 2022/2554) has applied since 17 January 2025. AI/ML systems that support AML, credit decisioning or fraud control can qualify as a critical or important ICT function, the AI vendor can be an ICT third-party service provider, and the bank must keep the ICT register (Article 28) and report major incidents (Article 19). The ACPR supervises DORA compliance in France.
What is the ACPR's explainability framework?
The ACPR defines four levels of explanation scaled to audience and risk: observation, justification, approximation, and replication. Observation suits an end customer; replication — reproducing the model's behaviour identically — is the standard for auditors and supervisors. This lets a bank match the depth of explanation to who is asking and how consequential the decision is.
Key Takeaways
A French bank or insurer governing AI in 2026 works under two layers that ask for the same evidence. The EU AI Act, DORA and the AMLR set binding duties — an Article 27 FRIA and ACPR notification for credit scoring, operational-resilience controls for any critical AI function, and a reconstructable AML trail to the Tracfin and FIU clocks. The ACPR's four evaluation criteria — data management, performance, stability, and explainability, with explanation scaled from observation to replication — describe how a supervisor will test whether those duties are met. Building credit, AML and fraud AI to satisfy the criteria and the binding regimes together is what lets a French institution answer the ACPR with documentation already in hand. Two statuses to re-check before relying on any deadline: France has not yet finally designated the ACPR as its AI Act financial-sector authority, and the Digital Omnibus that would move the high-risk and FRIA dates to 2 December 2027 is not yet law. This article is general information and not legal advice; confirm your obligations with qualified counsel, and re-check the regulatory status — including the pending French authority designation and the Digital Omnibus timing — before acting.