AI Governance & ComplianceDeep DiveFreshLast reviewed: · 52d ago

    EU AI Act for Financial Services: What Banks & Insurers Must Do

    TL;DR

    Quick Answer
    Cited by AI
    Banks & insurers using credit scoring, AML, or underwriting AI must meet EU AI Act high-risk requirements by August 2, 2026 — or face fines up to €30M.

    The EU AI Act classifies most credit scoring, fraud detection, and underwriting AI as high-risk. Here is what that means for your compliance roadmap.

    The EU AI Act (Regulation 2024/1689) is the world's first binding AI law, applying risk-based requirements to AI systems used in financial services including credit scoring, insurance underwriting, fraud detection, and anti-money laundering tools across all EU member states.

    Eric Lundberg - Author at Alice Labs
    Written by
    Linus Ingemarsson - Reviewer at Alice Labs
    Reviewed by
    Published
    18 min read
    €30M

    Maximum fine for high-risk AI non-compliance (or 6% of global turnover)

    EU AI Act, Article 99 (European Parliament and Council, 2024)

    Aug 2, 2026

    Compliance deadline for high-risk AI systems in financial services

    EU AI Act, Article 113 (European Parliament and Council, 2024)

    €200B

    EU investment commitment to AI development through 2027

    European Commission, Artificial Intelligence initiative page (November 2025)

    What you'll learn

    • Which AI use cases in banking, insurance, and fintech are classified as high-risk under the EU AI Act
    • The exact compliance deadlines that apply to financial institutions in 2025 and 2026
    • What technical and governance obligations high-risk AI systems must satisfy
    • How the EU AI Act overlaps with existing financial regulation (DORA, MiFID II, GDPR)
    • A practical compliance checklist for risk, legal, and technology teams
    • What fines and enforcement mechanisms apply to non-compliant financial institutions

    Key Takeaways

    • Most AI systems used in credit scoring, insurance underwriting, AML, and fraud detection qualify as high-risk under Annex III of the EU AI Act (Regulation 2024/1689).
    • The deadline for high-risk AI compliance is August 2, 2026 — financial institutions have a 24-month transition window from the Act's entry into force on August 1, 2024.
    • Non-compliance with high-risk AI rules carries fines of up to €30 million or 6% of global annual turnover, whichever is higher.
    • Financial institutions must maintain technical documentation, implement human oversight mechanisms, conduct conformity assessments, and register systems in the EU AI database before deployment.
    • The EU AI Act introduces a dual-layer obligation: firms acting as AI providers (building models) face stricter requirements than deployers (using third-party AI tools), but deployers still carry significant obligations.
    • DORA, GDPR, and MiFID II already impose overlapping obligations — an integrated compliance approach reduces duplication and total cost of compliance.
    01 / 08Chapter

    Why Financial Services Are Squarely in Scope

    In short

    The EU AI Act explicitly lists credit scoring, insurance risk assessment, and fraud detection in Annex III as high-risk AI use cases, meaning virtually every major AI deployment in banking and insurance requires full compliance.

    The EU AI Act organises AI systems into four tiers: prohibited AI, high-risk AI, limited-risk AI, and minimal-risk AI. Financial services firms are not a special category — they follow the same rules as every other sector.

    The issue is that Annex III's high-risk use cases map almost perfectly to the core operations of modern banks and insurers. If your institution uses AI for credit, underwriting, fraud, or AML, you are almost certainly operating high-risk AI systems.

    Which Annex III Categories Apply to Financial Services?

    The EU AI Act's Annex III lists eight areas of high-risk AI. Four of them directly govern financial services operations:

    • Annex III, Point 5(b): AI used in creditworthiness assessment and credit scoring of natural persons — covering retail lending, mortgage origination, and credit line decisions.
    • Annex III, Point 5(c): AI used in life and health insurance risk assessment and pricing — covering underwriting models and premium calculation engines.
    • Annex III, Point 4: AI used in employment and HR contexts — relevant for fintech firms using automated hiring tools.
    • Annex III, Point 6: AI used in law enforcement contexts, which the European Banking Authority's November 2025 report confirms includes AML and CFT transaction monitoring systems operated by supervised institutions.

    According to the European Banking Authority's November 2025 report on AI Act implications, the majority of AI use cases at EBA-supervised institutions fall into the high-risk category. This is not a marginal compliance edge case — it is the mainstream of financial AI.

    The OECD's February 2026 report on the EU Coordinated AI Plan (Volume 2) identified finance as one of the top three EU sectors with the highest rate of AI adoption in high-impact applications. High adoption combined with high-risk classification means the compliance surface area is unusually broad.

    ⚠ No grandfather clause

    AI systems deployed before August 1, 2024 are not exempt. All high-risk systems in production must achieve full compliance by August 2, 2026, regardless of when they were built or launched.

    EU AI Act Risk Classification for Common Financial Services AI Use Cases

    EU AI Act Risk Classification for Common Financial Services AI Use Cases
    AI Use Case Risk Category Annex III Reference Primary Obligation
    Credit scoring High-Risk Point 5(b) Conformity assessment, technical documentation, human oversight
    Mortgage affordability tools High-Risk Point 5(b) Conformity assessment, technical documentation, human oversight
    Life insurance underwriting High-Risk Point 5(c) Conformity assessment, risk management system, EU database registration
    Fraud detection / AML High-Risk Point 6 Conformity assessment, logging, human oversight, incident reporting
    Robo-advisory / investment recommendations Limited-Risk or High-Risk (design-dependent) Point 5(b) if creditworthiness elements present Transparency obligation at minimum; full high-risk obligations if in scope
    Customer service chatbots Limited-Risk Not in Annex III Transparency obligation: disclose AI interaction to users
    HR screening tools at fintechs High-Risk Point 4 Conformity assessment, technical documentation, human oversight

    Provider vs. Deployer: Who Bears the Heaviest Compliance Burden?

    Under Article 3 of the EU AI Act, a provider is any entity that develops and places an AI system on the market or into service. A deployer is any entity using an AI system under its own authority.

    Most large banks building proprietary credit models are providers. Most mid-size banks and insurers licensing vendor-supplied scoring tools are deployers. The compliance obligations differ significantly between the two roles.

    • Providers must: conduct conformity assessments, prepare technical documentation, affix CE marking where required, and register systems in the EU AI database before deployment.
    • Deployers must: implement genuine human oversight, conduct data governance checks, monitor systems in operation, train relevant staff, and report serious incidents to competent authorities.

    A critical point: Goodwin Law's August 2024 analysis of EU AI Act obligations notes that deployer obligations are "more limited but not trivial." A bank cannot outsource compliance to its AI vendor — it retains responsibility for how the system is used in practice.

    This mirrors the logic already familiar from GDPR's controller/processor framework. Regulated institutions have navigated this split before — the AI Act applies the same principle to algorithmic decision-making.

    For guidance on structuring your broader AI governance approach, see our EU AI Act compliance guide and the detailed EU AI Act compliance checklist for 2026.

    Top 3

    Finance ranked among EU sectors with highest high-impact AI adoption

    OECD, EU Coordinated AI Plan Volume 2 (February 2026)

    02 / 08Chapter

    Compliance Timeline: Every Deadline Financial Institutions Must Know

    In short

    The EU AI Act entered into force on August 1, 2024, with a phased implementation schedule. The critical deadline for financial services — high-risk AI compliance — falls on August 2, 2026.

    The Act's phased structure means different obligations activated at different dates. Financial institutions that missed the February 2025 checkpoint on prohibited practices are already out of compliance.

    The August 2, 2026 deadline for Annex III high-risk systems is not a soft target. The European Banking Authority's November 2025 guidance confirms that national competent authorities will expect supervised institutions to demonstrate demonstrable progress by mid-2026 at the latest.

    Full EU AI Act Implementation Timeline for Financial Services

    EU AI Act Implementation Timeline for Financial Services
    Date Milestone Who It Affects Action Required
    August 1, 2024 Act enters into force All firms deploying AI in the EU Begin AI inventory gap assessment; assign compliance ownership
    February 2, 2025 Prohibited AI practices enforceable (Article 5) All firms Audit for prohibited practices: social scoring, real-time biometric surveillance in public spaces (with narrow exceptions), subliminal manipulation
    August 2, 2025 GPAI model obligations apply Firms using foundation model APIs (GPT-4, Claude, Gemini, etc.) in products Conduct GPAI compliance checks; review vendor agreements for systemic-risk model disclosures
    August 2, 2026 High-risk Annex III compliance deadline All banks, insurers, and fintechs using high-risk AI Full conformity assessment, technical documentation, risk management system, human oversight, EU database registration
    August 2, 2027 High-risk AI in existing products (Article 111 transition) Firms with high-risk AI embedded in regulated products already on the market Bring embedded high-risk AI into full compliance (extended timeline for product-integrated systems only)
    💡 Start your AI inventory now

    A compliance-ready AI inventory — listing every AI system, its use case, risk classification, provider/deployer role, and data sources — is the mandatory first step. For a bank with 15+ AI systems, this alone takes 6–10 weeks.

    Why the Clock Is Already Running

    Based on Alice Labs' experience supporting 100+ enterprise AI implementations since 2023, a realistic compliance readiness program for a mid-size bank typically requires 9–14 months end-to-end. That means institutions starting in Q4 2025 are already operating in the danger zone.

    The conformity assessment alone — particularly for bespoke credit models — requires documented risk management systems, bias testing across protected characteristics, data quality attestations, and human oversight protocols that take months to design and validate.

    • Q3 2025 (now): Complete AI inventory; classify each system by risk tier and provider/deployer role.
    • Q4 2025: Conduct gap analysis against Annex III obligations; prioritise by risk and deployment volume.
    • Q1 2026: Build technical documentation, data governance attestations, and human oversight protocols for each high-risk system.
    • Q2 2026: Complete conformity assessments; register systems in EU AI database; conduct staff training.
    • August 2, 2026: Full compliance operational; monitoring and incident reporting procedures live.

    For firms still building their broader AI strategy, our AI strategy for financial services guide covers how to align governance timelines with business transformation objectives.

    03 / 08Chapter

    High-Risk AI Obligations: What Financial Institutions Must Actually Build

    In short

    High-risk AI systems under the EU AI Act require six categories of technical and governance controls: a risk management system, data governance, technical documentation, logging and record-keeping, transparency to deployers, and human oversight mechanisms.

    Being classified as a high-risk AI system under Annex III is not a label — it is a compliance programme. Articles 9 through 15 of the EU AI Act specify six mandatory obligation categories that providers must satisfy before placing a high-risk AI system into service.

    Deployers face a parallel but lighter set of obligations under Article 26. Both sets are described below.

    Six Mandatory Obligations for High-Risk AI Providers (Articles 9–15)

    • 1. Risk Management System (Article 9): A documented, ongoing process to identify, analyse, and mitigate foreseeable risks. Must be iterative — not a one-time assessment — and must cover risks arising from intended use and reasonably foreseeable misuse.
    • 2. Data Governance (Article 10): Training, validation, and test datasets must be relevant, representative, and free of errors. Data governance practices must address known biases and statistical limitations. For credit models, this includes demographic fairness testing across protected characteristics.
    • 3. Technical Documentation (Article 11 + Annex IV): A pre-deployment documentation package covering system architecture, training methodology, performance metrics, known limitations, and intended purpose. Annex IV lists 12 specific documentation elements.
    • 4. Automatic Logging (Article 12): High-risk AI systems must generate logs sufficient to enable post-hoc monitoring of system operation. For financial AI, this means audit-trail logging of every individual decision, the inputs used, and the output produced.
    • 5. Transparency to Deployers (Article 13): Providers must supply deployers with documentation sufficient to understand the system's capabilities, limitations, accuracy performance, and human oversight requirements. For vendor-supplied scoring tools, this obligation falls on the vendor.
    • 6. Human Oversight (Article 14): Systems must be designed to allow human intervention — stopping, overriding, or flagging decisions. For credit decisions, this means a qualified human must be able to review and overturn any automated decision. Nominal oversight mechanisms that are not genuinely operable do not satisfy this requirement.

    Deployer Obligations Under Article 26

    Institutions licensing AI from third-party vendors are deployers. Article 26 sets out their specific obligations, which are distinct from provider requirements but far from trivial.

    • Implement human oversight mechanisms as specified by the provider's technical documentation.
    • Ensure staff operating high-risk AI systems have adequate AI literacy and role-specific training.
    • Monitor system performance in operation and report serious incidents to the relevant national market surveillance authority within defined timeframes.
    • Conduct a Fundamental Rights Impact Assessment (FRIA) where required — applicable to public bodies and, in certain cases, private operators of high-risk AI affecting natural persons.
    • Retain logs generated by the AI system for the period specified in Article 12 — typically a minimum of 6 months, longer where financial regulatory record-keeping obligations apply.

    Conformity Assessment and EU AI Database Registration

    Before deploying any high-risk AI system, providers must complete a conformity assessment. For most financial AI use cases, this is a self-assessment — there is no mandatory third-party auditor required under Annex III (unlike some other sectors).

    However, self-assessment does not mean informal. The conformity assessment must be documented, evidence-based, and retained for 10 years post-deployment under Article 18. Following conformity assessment, providers must register their system in the EU AI public database before the system goes live.

    For institutions assessing how to structure internal processes around these requirements, our AI governance framework guide provides a practical starting point for building the oversight structures the Act requires.

    04 / 08Chapter

    How the EU AI Act Overlaps With DORA, GDPR, and MiFID II

    In short

    The EU AI Act overlaps substantially with DORA's ICT risk management requirements, GDPR's automated decision-making rules, and MiFID II's algorithmic trading and suitability obligations — creating both duplication and opportunities for integrated compliance.

    Financial institutions are already operating under one of the most complex regulatory frameworks in any sector. The EU AI Act does not replace existing obligations — it layers on top of them.

    The good news: many AI Act requirements align closely with controls your institution may already have partly in place under DORA, GDPR, or MiFID II. An integrated compliance approach avoids building duplicate frameworks.

    DORA (Digital Operational Resilience Act)

    DORA requires financial entities to implement ICT risk management frameworks, conduct ICT-related incident reporting, and manage third-party ICT risk. These obligations entered full application on January 17, 2025.

    The overlap with the EU AI Act is direct and significant:

    • ICT risk management vs. AI risk management: DORA's ICT risk framework (Articles 5–15) and the AI Act's risk management system (Article 9) both require documented risk identification, control design, and ongoing monitoring. A single integrated risk management framework can satisfy both.
    • Third-party ICT risk vs. deployer obligations: DORA's requirements for managing third-party ICT providers map closely to the AI Act's deployer obligations for vendor-supplied AI — both require contractual assurances, performance monitoring, and exit strategies.
    • Incident reporting: Both frameworks require notification to competent authorities for serious incidents — DORA for major ICT incidents, the AI Act for serious incidents involving high-risk AI systems. A single incident triage and reporting workflow can serve both.

    GDPR and Automated Decision-Making (Article 22)

    GDPR Article 22 already restricts fully automated decisions with significant effects on individuals — which includes credit decisions and insurance pricing. Data subjects have the right to explanation and human review.

    The AI Act's human oversight requirement (Article 14) and transparency obligations (Article 13) reinforce and extend these GDPR protections rather than replacing them. Key points of integration:

    • Explainability: GDPR Article 22 requires meaningful information about the logic of automated decisions. The AI Act requires technical documentation covering system logic and limitations. Both push institutions toward interpretable or explainable AI design choices.
    • Data minimisation vs. data representativeness: GDPR's data minimisation principle and the AI Act's data governance requirements (Article 10) can create tension — using less data satisfies GDPR but may reduce model representativeness required by the AI Act. Legal and data science teams need to align.
    • DPIAs and FRIAs: GDPR Data Protection Impact Assessments and AI Act Fundamental Rights Impact Assessments cover overlapping ground. A combined impact assessment methodology reduces duplication.

    MiFID II

    MiFID II's suitability and appropriateness obligations (Articles 24–25) already require investment firms to ensure that automated recommendations account for client characteristics and objectives. Algorithmic trading systems are subject to pre-deployment testing and ongoing monitoring requirements under MiFID II RTS 6.

    For robo-advisory and automated investment recommendation systems, firms must assess whether the system qualifies as high-risk under the AI Act in addition to existing MiFID II obligations. The classification depends on whether creditworthiness elements are present — if the system scores a client's financial capacity, Annex III Point 5(b) may apply.

    EU AI Act vs. Existing Financial Regulation: Key Overlaps
    Obligation Area EU AI Act Existing Regulation Integration Opportunity
    ICT / AI risk management Article 9 risk management system DORA Articles 5–15 Unified risk management framework
    Third-party AI / ICT vendors Article 26 deployer obligations DORA third-party risk management Combined vendor due diligence process
    Incident reporting Article 73 serious incident reporting DORA major ICT incident reporting Single incident triage and notification workflow
    Automated decision explainability Articles 13–14 transparency & oversight GDPR Article 22 Shared explainability framework; combined DPIAs/FRIAs
    Algorithmic suitability / fairness Annex III Point 5(b), Article 10 data governance MiFID II Articles 24–25, RTS 6 Integrated pre-deployment testing protocol
    05 / 08Chapter

    Fines and Enforcement: What Non-Compliance Actually Costs

    In short

    The EU AI Act's penalty structure has three tiers: up to €35M or 7% of global turnover for prohibited AI violations, up to €30M or 6% for high-risk AI non-compliance, and up to €15M or 3% for incorrect information to authorities.

    The EU AI Act introduced some of the largest administrative fine ceilings in EU regulatory history — higher than GDPR's €20M / 4% maximum for most violations. For a global bank, 6% of annual turnover is an existential number.

    Fines are set by national market surveillance authorities (in most member states, the financial regulator will be the designated authority for supervised institutions). The European AI Office has direct enforcement authority over GPAI model providers.

    Three-Tier Penalty Structure (Article 99)

    • Tier 1 — Prohibited AI (Article 5 violations): Up to €35 million or 7% of global annual turnover, whichever is higher. Relevant for any financial institution inadvertently using social scoring or prohibited biometric categorisation in its AI stack.
    • Tier 2 — High-risk AI non-compliance (Articles 9–46 violations): Up to €30 million or 6% of global annual turnover, whichever is higher. This tier applies to the core financial services use cases: credit scoring, underwriting, AML systems that fail to meet Annex III obligations.
    • Tier 3 — Incorrect or misleading information: Up to €15 million or 3% of global annual turnover. Applies to false statements to notified bodies or competent authorities during conformity assessment procedures.

    How Enforcement Will Work in Practice

    Each EU member state must designate at least one national competent authority as market surveillance authority for AI Act enforcement. For financial institutions, this will typically be the existing prudential or conduct regulator — the ECB, national central banks, or the FCA equivalent in each jurisdiction.

    The European Banking Authority's November 2025 report flagged that NCAs plan to incorporate AI Act compliance into their existing supervisory review and evaluation processes (SREP). This means AI compliance will be assessed alongside capital adequacy, liquidity risk, and operational resilience — not as a separate silo.

    • Supervisory expectations: NCAs will request AI Act compliance evidence as part of scheduled SREP cycles from 2026 onwards.
    • Reactive enforcement: Serious incidents reported under Article 73 will trigger supervisory investigation and may result in fines, temporary prohibition on use, or mandatory system withdrawal.
    • Cross-border coordination: The European AI Office coordinates enforcement for multi-jurisdiction AI systems, reducing the risk of inconsistent national treatment for pan-European financial institutions.

    SMEs and start-ups receive proportionate fines under Article 99(6) — penalties are capped at the lower threshold where both fixed ceiling and turnover-based ceiling apply. This provides limited but real relief for early-stage fintechs.

    Ready to accelerate your AI journey?

    Book a free 30-minute consultation with our AI strategists.

    Book Consultation
    06 / 08Chapter

    Practical Compliance Checklist for Financial Institutions

    In short

    A compliant financial institution needs to complete five workstreams: AI inventory and risk classification, gap analysis, technical documentation and conformity assessment, governance and oversight implementation, and EU AI database registration.

    Based on Alice Labs' experience designing AI compliance frameworks for Nordic financial institutions, the following checklist reflects the actual workstreams required to achieve EU AI Act readiness by August 2, 2026.

    This is not a legal opinion — it is a practitioner-level operational guide. Engage qualified legal counsel for jurisdiction-specific interpretation.

    Workstream 1: AI Inventory and Risk Classification

    • ☐ Complete AI system inventory: List every AI system in production, development, or procurement. Include vendor-supplied tools, embedded AI in purchased software, and AI accessed via APIs.
    • ☐ Classify each system by risk tier: Apply the Annex III test to each system. Document the classification rationale, including why borderline systems are classified as limited-risk rather than high-risk.
    • ☐ Assign provider/deployer status: For each system, determine whether the institution is a provider (built in-house or commissioned) or deployer (licensed from a third party).
    • ☐ Map to existing regulatory obligations: Flag systems that are already subject to DORA, GDPR Article 22, or MiFID II — these are candidates for integrated compliance treatment.

    Workstream 2: Gap Analysis Against Annex III Obligations

    • ☐ Risk management system gap: Assess current risk management documentation against Article 9 requirements. Identify missing elements: foreseeable misuse analysis, residual risk acceptance procedures, iterative review cadence.
    • ☐ Data governance gap: Review training and validation dataset documentation against Article 10. Flag datasets lacking demographic representativeness attestations or bias testing records.
    • ☐ Technical documentation gap: Check existing model cards and documentation against Annex IV's 12 required elements. Identify missing items: intended purpose statement, performance metrics by subgroup, known limitations disclosure.
    • ☐ Human oversight gap: Assess whether current human review processes are operationally genuine or nominal. Identify systems where human override capability does not exist or is technically impractical.
    • ☐ Logging gap: Confirm automated decision logs capture inputs, outputs, timestamps, and system version. Verify retention periods meet both AI Act and financial regulatory requirements.

    Workstream 3: Technical Documentation and Conformity Assessment

    • ☐ Prepare Annex IV technical documentation for each high-risk AI system. Assign documentation ownership to model risk management or technology teams.
    • ☐ Conduct conformity assessment: For most financial AI use cases, this is a self-assessment. Document evidence for each Article 9–15 obligation.
    • ☐ Retain conformity assessment records for 10 years post-deployment per Article 18.

    Workstream 4: Governance, Oversight, and Training

    • ☐ Appoint an AI compliance owner: Designate a named individual responsible for EU AI Act compliance across the institution. Ensure they have direct access to the board or risk committee.
    • ☐ Implement AI literacy training: Article 4 requires providers and deployers to ensure staff working with high-risk AI have adequate AI literacy. Document training completion.
    • ☐ Establish incident reporting procedures: Define what constitutes a serious incident under Article 3(49), who is responsible for notification, and the 15-day reporting timeline to competent authorities.
    • ☐ Implement post-market monitoring: Establish a process to collect and review operational performance data for each high-risk AI system on an ongoing basis.

    Workstream 5: EU AI Database Registration

    • ☐ Register each high-risk AI system in the EU AI public database before deployment or before the August 2, 2026 deadline for systems already in operation.
    • ☐ Update registrations whenever a system undergoes a substantial modification — defined as a change affecting the system's risk classification or its conformity with Annex III obligations.

    For the complete annotated checklist with article references and evidence templates, see our dedicated EU AI Act compliance checklist for 2026. For firms also assessing their overall AI implementation readiness, our AI readiness assessment guide provides a parallel diagnostic framework.

    07 / 08Chapter

    Special Considerations for Fintechs and Scale-Ups

    In short

    Fintechs face the same Annex III obligations as large banks but with fewer compliance resources — proportionate fines apply for SMEs, but technical obligations are identical. Fintechs building proprietary AI models as providers face the heaviest burden.

    Fintech firms often assume the EU AI Act is a large-bank problem. It is not. Any fintech offering credit products, insurance, or payment fraud detection to EU customers is deploying high-risk AI within the Act's scope.

    The distinction that matters most for fintechs is provider vs. deployer. Fintechs building their own credit scoring or underwriting models are providers — the heaviest obligation tier. Fintechs integrating bureau scores or third-party fraud APIs are deployers — still obligated, but with less documentation burden.

    Where Fintechs Are Most Exposed

    • Proprietary credit models: BNPL providers, neobanks, and embedded finance platforms that score creditworthiness using transaction data are providers of high-risk AI. Conformity assessment and Annex IV documentation are mandatory.
    • Automated onboarding and KYC: Document verification AI and facial liveness checks may intersect with biometric identification rules — classify carefully, as some use cases approach prohibited territory.
    • HR tools: Fintechs using AI-powered CV screening or interview assessment tools are subject to Annex III Point 4 — high-risk AI in employment. This is frequently overlooked.
    • Foundation model dependency: Fintechs building products on GPT, Claude, or Gemini APIs are GPAI deployers — obligations applied from August 2, 2025. Review your vendor agreements for transparency disclosures required under Article 53.

    SME Proportionality Provisions

    The EU AI Act includes limited proportionality provisions for SMEs and micro-enterprises under Articles 9(7), 17(3), and 62(1). These allow simplified risk management documentation and regulatory sandbox access, but do not reduce the core technical obligations.

    The fine cap for SMEs under Article 99(6) means penalties are calculated at the lower of the fixed ceiling or the turnover-based ceiling — providing meaningful financial protection for early-stage firms while preserving enforcement authority.

    Fintechs navigating the build vs. buy decision for AI capabilities should factor compliance cost into that analysis. Our build vs. buy AI guide models the full cost-of-ownership including regulatory overhead, which is particularly relevant for high-risk AI classification scenarios.

    08 / 08Chapter

    Frequently Asked Questions: EU AI Act for Financial Services

    In short

    Answers to the most common questions from risk, legal, and technology teams at banks, insurers, and fintechs navigating EU AI Act compliance.

    Does the EU AI Act apply to non-EU banks serving EU customers?

    Yes. The EU AI Act has extraterritorial scope similar to GDPR. Any provider or deployer whose AI system output is used in the EU is subject to the Act — regardless of where the system is built or hosted. A US bank offering EU retail credit products via an AI scoring system must comply with Annex III obligations.

    Is fraud detection AI automatically classified as high-risk?

    Fraud detection AI used in an AML/CFT context falls under Annex III Point 6, which covers AI used by competent authorities or on their behalf in law enforcement contexts. The European Banking Authority's November 2025 report confirms this extends to AML transaction monitoring at supervised institutions. Pure payment fraud detection without AML elements may require individual classification assessment.

    What is a "serious incident" that must be reported under the EU AI Act?

    Article 3(49) defines a serious incident as any incident or malfunction of a high-risk AI system that results in death, serious injury, significant unplanned disruption of critical infrastructure, violation of fundamental rights obligations, or serious damage to property or the environment. For financial AI, this includes systematic discriminatory credit decisions or AML system failures causing regulatory breaches. The reporting timeline is 15 working days from awareness.

    Can a bank self-certify compliance, or is a third-party auditor required?

    For the financial services Annex III use cases (credit scoring, insurance underwriting, fraud detection), self-assessment conformity assessment is permitted — a mandatory third-party notified body is not required. However, the self-assessment must be fully documented and evidence-based. Regulators may request the conformity assessment file during SREP reviews from 2026 onwards.

    How does the EU AI Act interact with GDPR's right to explanation?

    GDPR Article 22 gives individuals the right not to be subject to solely automated decisions with significant effects, plus the right to obtain human review and meaningful explanation of the logic involved. The AI Act's human oversight (Article 14) and transparency (Article 13) obligations reinforce this — both require that automated credit or insurance decisions can be reviewed and explained. The frameworks are complementary, not contradictory. A combined explainability approach serves both.

    What counts as a "substantial modification" requiring re-registration?

    Article 3(23) defines a substantial modification as a change to a high-risk AI system that affects the system's compliance with Annex III obligations or results in a change to its intended purpose. For a credit scoring model, retraining on a fundamentally different dataset, changing the target variable, or deploying the model in a new product context would likely qualify. Routine parameter retuning within defined thresholds typically does not.

    Do robo-advisors and algorithmic trading systems qualify as high-risk AI?

    It depends on the system's design and function. Robo-advisors that include a creditworthiness or financial capacity assessment component may fall under Annex III Point 5(b). Pure algorithmic trading systems operating without individual client credit assessment are not explicitly listed in Annex III and may qualify as limited-risk — but this requires individual classification analysis. MiFID II obligations continue to apply regardless of AI Act classification.

    How long must technical documentation and logs be retained?

    Conformity assessment technical documentation must be retained for 10 years after the AI system is placed on the market, per Article 18. Automatic logs generated by high-risk AI systems must be retained for at least 6 months under Article 12(1), unless applicable financial regulation (e.g., MiFID II's 5-year transaction record requirement) specifies a longer period — in which case the longer period prevails.

    About the Authors & Reviewers

    Published
    Written by
    Eric Lundberg - Co-Founder, Alice Labs at Alice Labs
    Eric Lundberg

    Co-Founder, Alice Labs

    Co-Founder at Alice Labs. Builds AI automation, agent workflows and integration systems that hold up in real business operations.

    • AI automation & agent systems lead
    • Workflow design across 100+ deployments
    • Specialist in RAG, integrations & APIs
    Reviewed by
    Linus Ingemarsson - Co-Founder, Alice Labs at Alice Labs
    Linus Ingemarsson

    Co-Founder, Alice Labs

    Co-Founder at Alice Labs. Author of 7 research reports on AI adoption, governance and labor markets cited across EU, OECD and US benchmarks.

    • 8+ years in AI strategy & implementation
    • Top-5 AI Speaker, Sweden (Mindley 2025)
    • 100+ enterprise AI engagements
    Published
    Reviewed for technical accuracy, methodology and source integrity.·All claims trace to public sources cited in-line.

    Frequently Asked Questions

    Does the EU AI Act apply to non-EU banks serving EU customers?

    Yes. The EU AI Act has extraterritorial scope similar to GDPR. Any provider or deployer whose AI system output is used in the EU is subject to the Act, regardless of where the system is built or hosted.

    Is fraud detection AI automatically classified as high-risk under the EU AI Act?

    Fraud detection AI used in an AML/CFT context falls under Annex III Point 6. The EBA's November 2025 report confirms this extends to AML transaction monitoring at supervised institutions. Pure payment fraud detection without AML elements requires individual classification assessment.

    Can a bank self-certify EU AI Act compliance for credit scoring systems?

    Yes. For financial services Annex III use cases, self-assessment conformity assessment is permitted — no mandatory third-party notified body is required. However, the assessment must be fully documented and evidence-based, and may be reviewed by regulators during SREP cycles.

    What is the EU AI Act compliance deadline for financial institutions?

    August 2, 2026 is the compliance deadline for high-risk AI systems under Annex III — which includes credit scoring, insurance underwriting, fraud detection, and AML tools. No grandfather clause applies to legacy systems.

    What fines apply for EU AI Act non-compliance in financial services?

    Non-compliance with high-risk AI obligations carries fines up to €30 million or 6% of global annual turnover, whichever is higher, under Article 99 of the EU AI Act.

    What is the difference between an AI provider and deployer under the EU AI Act?

    A provider develops and places an AI system on the market. A deployer uses it under their own authority. Banks building proprietary credit models are providers; banks licensing vendor scoring tools are deployers. Both carry compliance obligations, but providers face stricter technical documentation and conformity assessment requirements.

    How does the EU AI Act interact with DORA for financial institutions?

    The EU AI Act's risk management system (Article 9) and incident reporting requirements (Article 73) overlap substantially with DORA's ICT risk framework and major incident reporting obligations. An integrated compliance approach using a single risk management framework reduces duplication and total compliance cost.

    Do robo-advisors qualify as high-risk AI under the EU AI Act?

    It depends on design. Robo-advisors that include a creditworthiness or financial capacity assessment may fall under Annex III Point 5(b) as high-risk. Pure algorithmic trading systems without individual credit assessment are not explicitly listed in Annex III and may qualify as limited-risk, but require individual classification analysis.

    Previous in AI Governance & Compliance

    NIST AI Risk Management Framework: Enterprise Implementation Guide

    Next in AI Governance & Compliance

    EU AI Act Timeline 2026: Key Deadlines & Compliance Dates

    Further reading

    Related services

    Related reading

    deepdive

    EU AI Act Compliance Guide

    Discover a step-by-step guide to achieving EU AI Act compliance for enterprises, ensuring adherence to regulations by 2026.

    deepdive

    EU AI Act Compliance Checklist 2026

    Step-by-step EU AI Act compliance checklist for enterprises. Risk classification, Annex IV documentation, FRIA, AI literacy, conformity assessment — before 2 Aug 2026.

    deepdive

    What Is AI Governance?

    AI governance covers policy, process, and tooling for responsible AI. EU AI Act, NIST AI RMF, ISO 42001, OECD principles compared — with Alice Labs methodology.

    deepdive

    AI Strategy for Financial Services

    AI strategy for banks, insurance, asset management. EU AI Act Annex III for credit + insurance, DORA from Jan 2025, NIST AI RMF, top 6 use cases.

    deepdive

    Why AI Projects Fail

    Most AI projects fail before reaching production. Based on RAND, MIT Sloan, and 100+ Alice Labs engagements — the 7 root causes, with concrete fixes for each.

    Sources

    1. EU AI Act, Regulation 2024/1689European Parliament and Council
    2. Report on AI Act implications for the EU banking sectorEuropean Banking Authority
    3. EU Coordinated AI Plan, Volume 2OECD
    4. Artificial Intelligence initiativeEuropean Commission
    5. EU AI Act Deployer Obligations AnalysisGoodwin Law

    Next scheduled review:

    Ready to accelerate your AI journey?

    Book a free 30-minute consultation with our AI strategists.

    Book Consultation
    Share

    Get in Touch!

    The lab usually responds within 24 hours.

    Need help with AI?Get in touch