EU AI Act Compliance for Financial Services

Annex III category 5(b): Creditworthiness assessment

AI systems used to evaluate the creditworthiness of natural persons or establish their credit score are explicitly high-risk. This includes:

• Automated credit decisioning: Systems that approve, deny, or recommend credit decisions
• Credit scoring models: AI that generates credit scores used in lending decisions
• Underwriting automation: Systems that assess loan applications and set terms
• Risk pricing models: AI determining interest rates or credit limits based on individual assessment

Annex III category 5(a): Access to essential services

AI systems used to evaluate eligibility for essential private services are high-risk. In financial services, this includes:

• Bank account access decisions: AI determining who can open accounts
• Insurance access: Systems affecting whether individuals can obtain insurance coverage
• Payment service eligibility: AI controlling access to payment accounts or services
• Mortgage qualification: Automated systems determining mortgage eligibility

Systems that may NOT be high-risk

Not all financial AI triggers high-risk classification:

• Customer service chatbots: General inquiry handling without decisioning authority
• Fraud detection for internal investigation: Systems that flag for human review without automated action
• Market analysis tools: AI for investment research used by professionals
• Internal process automation: Operational AI without customer-facing decisions
• Recommendations with human decision: Advisory systems where humans make final decisions

When banks are providers

You are a provider if you:

• Build proprietary AI systems for credit decisioning, fraud detection, or other purposes
• Commission AI development from vendors who develop to your specifications
• Substantially modify third-party AI systems beyond intended use
• Put your name on the AI system as if you developed it
• Use open-source models in systems you deploy to customers

When banks are deployers

You are a deployer if you:

• Use third-party AI tools in your operations (ChatGPT, vendor credit models, etc.)
• Implement vendor AI systems according to their intended purpose
• Operate AI systems developed by others without substantial modification

The substantial modification question

A critical issue for financial services: when does customization make you a provider?

You likely become a provider if you retrain models on proprietary data, modify decision logic significantly, integrate AI into systems that change its intended purpose, or extend the AI to use cases not covered by the original provider.

You likely remain a deployer if you configure parameters within documented ranges, use the system for its intended purpose, or apply standard integrations the provider anticipated.

Mapping Annex IV to credit decisioning systems

Annex IV documentation covers general description (intended purpose, provider information, version history), detailed description (model architecture, data inputs/outputs, decision-making logic), monitoring and control (human oversight mechanisms, logging capabilities), risk management (known risks, mitigation measures, testing results), and change management procedures.

Connecting to existing model risk management

Financial services organizations have existing model risk management (MRM) frameworks, often based on SR 11-7 or similar guidance. Annex IV documentation can build on existing model documentation, validation reports, performance monitoring, and change management records.

Gap analysis focus: Annex IV typically requires more detail on human oversight mechanisms, fundamental rights considerations, and evidence of actual implementation than traditional MRM.

Data governance for financial data

Article 10 data governance requirements present specific challenges for financial services including training data documentation with full lineage, bias assessment for representation and fairness, data quality measures, and privacy considerations for GDPR-compliant handling.

Designing approval workflows for high-risk decisions

For credit decisioning and other high-risk AI, implement structured approval workflows with risk-based routing:

Override procedures and documentation

When humans override AI decisions, documentation must include who (identity and authority), when (timestamp), what (AI decision and human decision), why (rationale), and supporting evidence.

Audit trail requirements include tamper-evident storage, retention aligned with regulatory requirements (typically 7+ years), queryable format, and integrity verification.

What financial regulators will ask

Based on emerging regulatory guidance, expect questions on:

• Governance: How do you classify AI systems by risk level? Who is accountable for AI governance decisions?
• Evidence: Can you show me the decisions this AI made last month? Who approved the escalated decisions?
• Outcomes: What are the fairness metrics? How do outcomes differ across demographic groups?
• Incidents: What incidents has this system had? How were they identified and remediated?

Evidence retention and integrity

For evidence to satisfy auditors, it must be complete (all relevant decisions captured), accurate (reflecting what actually happened), timely (captured at decision time), secure (protected from modification), and verifiable (independently confirmable integrity).