EU AI Act for fintech and financial services
AI in credit scoring, fraud detection, or customer communication often intersects with existing financial regulation. The EU AI Act adds another layer: risk classes, documentation, and traceability must be designed together – not only “alongside” BaFin or EBA expectations.
Typical use cases
- Credit scoring and creditworthiness assessment of natural persons – a high-risk use case under Annex III No. 5
- Fraud and anomaly detection with high decision impact
- Onboarding & identity where AI assists or automates (KYC, document checks)
- AML transaction monitoring and sanctions-list screening
- Customer communication and advisory support via language models – transparency obligations under Art. 50
Regulatory focus
- Strong expectations for explainability and human oversight on sensitive decisions
- Tight coupling with internal controls, model validation, and audit trails
- Annex III – deliberately review relevant AI systems: credit scoring (No. 5), possibly biometrics or insurance pricing
- Use the carve-out: AI systems for detecting financial fraud are exempt from the high-risk classification of credit scoring
BaFin, DORA, and the EU AI Act: three rulebooks, one evidence problem
Financial institutions already document models and ICT risks today. The EU AI Act does not demand a parallel universe – but it does demand that AI-specific obligations verifiably plug into existing processes.
MaRisk / BAIT
Model governance, outsourcing control, and internal controls already exist. Map AI systems to these processes instead of building new silos – the AI Act adds risk class, purpose limitation, and human oversight.
DORA
DORA addresses ICT risk and third-party management. For purchased AI (scoring services, fraud APIs), DORA third-party risk overlaps with AI Act deployer obligations – a shared vendor register avoids duplicate work.
EU AI Act
Adds Annex III risk classification, technical documentation, logging, and human oversight. For high-risk systems such as credit scoring, the deadline is 2 December 2027.
One inventory as the bracket
A central AI inventory with risk context connects all three worlds: each system carries its AI Act class, DORA third-party status, and MaRisk mapping – exportable as audit-ready evidence.
FAQ
Is credit scoring high-risk under the EU AI Act?
Yes. AI systems for assessing the creditworthiness of natural persons are classified as high-risk under Annex III No. 5. Systems used to detect financial fraud are exempt.
Does fraud detection count as high-risk AI?
Usually no: Annex III explicitly exempts AI systems for detecting financial fraud from the high-risk classification of credit scoring. Still, review the concrete purpose – systems with different decision impact may be classified differently.
How do DORA and the EU AI Act overlap?
DORA governs ICT risk and third-party management, the AI Act governs AI-specific obligations. For purchased AI services both apply: third-party risk under DORA plus deployer obligations under the AI Act. A shared register for AI systems and vendors covers both.
Does SimpleAct replace banking supervision or legal advice?
No. SimpleAct supports the EU AI Act part (inventory, risk classification, documentation, export). For banking regulation and binding assessments, involve your specialists.
Structured capture for regulated environments
Bring AI systems into one inventory and document risk classes traceably.
Get started