EU AI Act Compliance for Fintech
AI systems used to assess creditworthiness, price insurance, or determine access to financial services are explicitly listed as high-risk under Annex III Category 5 of the EU AI Act. For fintech companies, this is not a peripheral compliance question — it applies directly to the core product. The August 2026 deadline is the relevant date for most fintech use cases.
Which Annex III Category Applies
Annex III, Category 5 covers AI systems intended to be used to evaluate the creditworthiness of natural persons or establish their credit score; to evaluate the risk and pricing for life and health insurance; and AI used for the dispatch or establishment of priority in the dispatching of emergency first response services. The first two sub-categories are directly relevant to fintech.
Unlike some categories, which require the AI to make a "final" decision to be in scope, Category 5 applies to systems that evaluate or score creditworthiness even where a human ultimately makes the credit decision. A model that generates a probability-of-default score used by an underwriter is within scope. The Act's reach in financial services is deliberately broad because the consequences of biased credit decisions are severe and systemic.
Products Covered by Category 5
- Credit scoring and loan origination AI
- Buy Now Pay Later risk assessment engines
- Insurance premium pricing models
- Open banking-based creditworthiness tools
- SME lending decisioning platforms
- Mortgage affordability assessment AI
- Insurance claims assessment systems that affect payouts
- Identity verification tools that gate financial service access
The key test for Category 5 is whether the system affects a natural person's access to, or the terms of, essential private services — particularly financial services. If your product generates a score or recommendation that determines whether someone gets a loan, at what rate, or whether their claim is approved, Category 5 applies.
Core Obligations for Fintech AI Providers
As a high-risk AI provider under Annex III Category 5, you must comply with Articles 9–15 before placing your system on the EU market. The most demanding articles for fintech are Articles 10 and 11.
Continuous documentation of known risks — including discriminatory outcomes, model drift, and data quality failures — with mitigation measures and residual risk evaluation. Must be updated as production data reveals new risk patterns.
Training data must be examined for correlations between input features and protected characteristics. Historical credit decisions used as training labels often encode past discrimination. This examination must be documented — and the steps taken to address findings must be proportionate.
Full Annex IV documentation required before EU market placement. For credit AI, this includes the model architecture, training data methodology, evaluation metrics disaggregated by demographic subgroups where relevant, and the risk management system file.
Instructions of use provided to deployers (banks, lenders) must include performance metrics, known limitations, and guidance on human oversight workflows. Enterprise deployers will increasingly require this before integrating a credit API.
Credit systems must be designed so that loan officers or underwriters can genuinely assess and override AI recommendations. Workflows where AI scores are presented without supporting rationale, or where operational pressure makes override impractical, do not satisfy Article 14.
Common Compliance Gaps in Fintech AI
Using protected-characteristic proxies without examination
Fintech credit models frequently use features — postcode, device type, browsing behaviour, social connections — that correlate with protected characteristics like ethnicity, age, or disability. Article 10 requires examination of training data for these correlations and documented steps to address them. Many teams examine model outputs for disparate impact but do not examine the training data that produces the model. Both are required.
No explainability infrastructure for Article 13 compliance
Article 13 requires providers to give deployers information about how the system works sufficient to support proper use. For credit AI deployed through a bank or lender, this means the instructions of use must describe which features drive decisions and in what direction. Building post-hoc explainability at the compliance deadline is expensive — it needs to be built into the model architecture and evaluation pipeline from the start.
Treating GDPR compliance as a substitute for AI Act compliance
Many fintech compliance teams have strong GDPR Article 22 compliance for automated decisions. The EU AI Act adds requirements that go beyond GDPR: technical documentation under Article 11, the continuous risk management system under Article 9, and the system design requirements under Article 14. GDPR compliance establishes a floor, not a ceiling.
Inadequate post-market monitoring for model drift
Credit models trained on historical repayment data degrade as economic conditions change. A model trained in 2022 may perform very differently in 2026. Article 9's continuous risk management obligation requires monitoring production performance, including demographic parity metrics, on an ongoing basis. Quarterly model monitoring reports that don't include demographic breakdowns are insufficient.
Generate your fintech AI documentation
Nytivo generates the full Annex IV technical documentation pack for your credit or insurance AI system — including training data documentation, performance metrics, and the risk management system file required under Article 9.
Start free trialEU AI Act for Fintech — FAQs
Does our fraud detection AI count as high-risk under the EU AI Act?
It depends on what the fraud detection system does. If it generates scores or decisions that affect an individual's access to financial services — for example, blocking a payment, suspending an account, or flagging a customer for enhanced verification — it is likely within Annex III Category 5 as a system affecting access to essential private services. If the system flags transactions for human review without directly restricting access, the classification is more nuanced and depends on how material the AI's contribution to the final decision is.
We use AI to set interest rates. Is that high-risk?
Yes. Setting interest rates on credit products is a form of creditworthiness assessment that affects individuals' access to and cost of financial services. Annex III Category 5 is not limited to binary approve/reject decisions — it covers the terms on which financial services are provided. An AI system that determines the interest rate, credit limit, or insurance premium for an individual based on their characteristics is high-risk.
How does Article 22 GDPR interact with the EU AI Act for automated credit decisions?
GDPR Article 22 gives individuals the right not to be subject to solely automated decisions with significant legal or similar effects, including the right to request human review and an explanation. The EU AI Act's Article 14 (human oversight) and Article 13 (transparency) add to this framework without replacing it. In practice, fintech companies must satisfy both regimes: GDPR provides individual rights; the AI Act imposes obligations on the provider's system design. Satisfying one does not automatically satisfy the other.
Do EU AI Act obligations apply to our algorithmic trading or market-making systems?
Probably not, for most algorithmic trading systems. Annex III Category 5 focuses on AI affecting individual natural persons' access to essential services — not market-level price formation. An AI system that executes trades or makes markets is unlikely to be high-risk under Annex III unless it directly affects individual customers' account balances or access to services in ways that mirror credit or insurance decisions.
What does 'instructions of use' for a credit AI actually require?
Article 13 requires providers to supply deployers with instructions of use that include: the intended purpose and limitations of the system, performance metrics on defined test sets, known risks of bias or error, the human oversight measures required, and guidance on when the system should not be used. For credit AI, this means documenting the demographic groups on which the model performs differently, the input features used and their known correlation with protected characteristics, and specific guidance for compliance teams on how to structure human review workflows.