EU AI Act and Finance AI: Credit Scoring, Algorithmic Trading, and Fraud Detection
The financial sector uses AI extensively — and three core use cases face very different AI Act obligations. This guide clarifies the high-risk classification, specific requirements, and compliance steps for banks, insurers, and fintechs.
The financial services sector is one of the most intensive AI adopters in the EU economy. Banks score creditworthiness, insurers assess risk, investment firms execute algorithmic trades, and payment processors detect fraud — all using AI systems at scale, continuously, with real consequences for millions of individuals and the stability of markets.
The EU AI Act treats these different uses very differently. Not all financial AI is high-risk. Understanding which systems face mandatory obligations, which face lighter requirements, and which face none is essential for compliance planning in any financial institution.
The Starting Point: Does Financial AI Qualify as High-Risk?
Financial AI reaches the high-risk category through Article 6(2) and Annex III, specifically:
Annex III §5(b): AI intended to be used to make decisions, or to materially influence decisions, on the eligibility of natural persons for essential private services and the access to and enjoyment of fundamental social services including creditworthiness assessment and credit scoring, life and health insurance pricing and underwriting, medical insurance, and employment-related insurance.
The scope of §5(b) covers:
- Credit scoring and creditworthiness assessment
- Insurance underwriting — pricing decisions for life, health, and employment-related insurance
- Loan eligibility determination
What §5(b) covers by name: the EU AI Act specifically identifies credit scoring as a high-risk use case. There is no ambiguity here.
What is not automatically captured by §5(b): algorithmic trading, fraud detection, anti-money laundering, and investment recommendation. These may still fall within high-risk categories through other Annex III provisions or Article 6(1) product paths, or they may not — the classification requires individual analysis.
Credit Scoring and Creditworthiness Assessment
Classification
Credit scoring AI — whether used for mortgage applications, consumer credit, business lending, or overdraft facilities — falls squarely within Annex III §5(b). It is high-risk regardless of whether the AI makes the credit decision directly or "only" provides a score that a loan officer uses. The phrase "or to materially influence decisions" ensures that scoring systems that feed human decision-making are captured.
The specific compliance obligations
Article 9 — Risk management: The risk management system must identify risks of the credit scoring model producing biased, inaccurate, or harmful outputs. For credit scoring, the primary risk management focus must include:
- Discrimination risk by protected characteristics (gender, ethnicity, age, disability) — financial discrimination is also subject to EU anti-discrimination law and national banking regulation
- Model performance under distribution shift — does the model perform differently during economic stress versus stability?
- Data staleness — how quickly do training datasets become unrepresentative?
Article 10 — Training data governance: Credit scoring training data must be examined for historical bias. Historical lending data systematically reflects past discrimination — if women were denied credit at higher rates than men in the training period for reasons unrelated to creditworthiness, a model trained on this data will reproduce that bias. This must be documented and addressed.
The article requires data that is "free of errors and complete." For credit data aggregated from multiple sources (credit bureaus, bank transaction data, public records), data quality and completeness across populations is a specific obligation.
Article 13 — Transparency to deployers: Banks deploying third-party credit scoring systems are entitled to receive full documentation about the model's performance characteristics, known limitations, and testing results.
Article 50 — Transparency to affected persons: When an AI system is used in a decision about a natural person, that person must be informed. For credit decisions, this intersects with existing consumer credit law (Directive 2008/48/EC on credit agreements) which already requires explanation rights for automated decisions. The AI Act's transparency obligation reinforces and extends these rights.
Article 26(1) — Deployer's right to meaningful information: Banks that do not build credit scoring AI themselves but deploy external systems have the right — and the obligation to exercise it — to request and verify the technical documentation, training data information, and performance metrics of the AI system they deploy.
Interaction with GDPR and anti-discrimination law
Credit scoring AI processes financial data (special category adjacent) and in many cases national identity numbers, income data, and employment records. Article 22 of the GDPR on automated decision-making applies to fully automated credit decisions with legal effect on individuals — banks must provide the right to human review for such decisions. The AI Act's human oversight requirements reinforce this under Article 14.
EU anti-discrimination law (Directive 2000/43/EC on racial equality, Directive 2004/113/EC on sex discrimination in goods and services) also applies to credit decisions — meaning bias testing and mitigation is both an AI Act obligation and an existing legal requirement.
Algorithmic Trading
Classification
Algorithmic trading — the use of automated systems to execute trades based on market data and rules — is not automatically classified as high-risk AI under the AI Act's Annex III. The Annex III categories cover AI that affects individual persons' fundamental rights and access to services. Algorithmic trading operates primarily in market infrastructure, not on individual persons.
However, algorithmic trading systems may be relevant to the AI Act in other ways:
Article 6(1) pathway: If an algorithmic trading system is embedded in a financial product or infrastructure system that is itself regulated under EU financial regulation (MiFID II, EMIR, MAR), and if that regulatory framework requires third-party assessment of the AI component, Article 6(1) may classify the AI as high-risk.
GPAI model usage: Investment firms that use general-purpose AI models (LLMs) for market analysis or trading signal generation may trigger GPAI obligations for the model developer and downstream compliance obligations for the investment firm as provider of an AI system built on GPAI.
MiFID II and ESMA requirements: Algorithmic trading is already subject to extensive regulation under MiFID II Articles 17–18, requiring risk controls, kill switches, circuit breakers, and governance frameworks. These obligations are not AI Act obligations, but an AI Act compliance programme for a trading firm should map against them.
Key practical point
For most pure algorithmic trading systems that are not classified as high-risk under the AI Act, the regulation's main impact is the Article 50 transparency obligation if the system interacts with or affects clients, and the GPAI obligations on any foundation models used.
Fraud Detection
Classification
AI-based fraud detection — in payments, insurance, mortgage applications, anti-money laundering — presents a nuanced classification question.
The case for not being high-risk: The primary function is to flag suspicious activity for human review, not to make final determinations about individuals. The system protects financial integrity rather than making access decisions.
The case for being high-risk: If the fraud detection system's output leads to automatic account blocking, transaction refusal, or initiation of legal proceedings against individuals, it is making decisions with significant individual impact. In that context, Annex III §5(b) may apply if the decision materially affects the person's access to financial services.
The likely position: A fraud detection system used internally by a financial institution to flag transactions for analyst review, with no automated individual-level adverse action, is likely not high-risk under the current AI Act framework. A fraud detection system that automatically and permanently blocks an individual's access to banking services without human review is more likely to be classified as high-risk — and raises human oversight questions under Article 14.
AML (Anti-Money Laundering): AI used in AML transaction monitoring to generate suspicious activity reports for human analyst review falls into a similar pattern — likely not high-risk in most configurations, but subject to AI Act transparency obligations under Article 50 if it generates outputs that affect individuals in legal proceedings.
The intersection with financial regulation
Financial fraud detection and AML AI is subject to extensive sector regulation independent of the AI Act: the 6th AML Directive, EBA guidelines on internal governance, ECB supervisory expectations for model risk management. These existing frameworks already impose model validation, documentation, and governance requirements. The AI Act compliance programme should align with — and leverage where possible — the model risk management frameworks already required by financial regulators.
Practical Steps for Financial Sector Compliance
- Inventory all AI systems and classify each against Annex III — specifically §5(b) for consumer-facing eligibility and access decisions.
- Treat credit scoring AI as high-risk with immediate effect. All Articles 9–15, Article 43, and Article 47 obligations apply.
- For algorithmic trading AI: conduct an Article 6(1) analysis to determine whether the system is embedded in a product covered by Annex I legislation. Review GPAI exposure if foundation models are used.
- For fraud detection AI: analyse whether the system produces individual adverse actions with significant impact. If yes, classify as high-risk. If no, assess Article 50 transparency obligations.
- Map AI Act obligations against existing model risk management frameworks (EBA, ECB, BaFin/ACPR/FCA model risk guidance) to identify where compliance processes can be unified.
How DilAIg Helps
DilAIg's 50-question audit is designed for financial sector providers and deployers of high-risk AI systems. The audit generates your Technical Documentation, Declaration of Conformity, FRIA (for deployers), and Transparency Notice — covering the specific obligations that apply to credit scoring and other high-risk financial AI.
Start your free audit at dilaig.com and establish your financial AI compliance baseline.
FAQ: EU AI Act and Financial Services AI
Q: Does credit scoring AI need a CE mark? Yes. Credit scoring AI is classified as high-risk under Annex III §5(b). All high-risk AI systems must bear the CE marking under Article 49 before being placed on the EU market or put into service.
Q: Who is the "provider" of credit scoring AI — the bank or the credit bureau? It depends on who places the specific system on the market or puts it into service under their own name. If a credit bureau develops and licences a scoring model to banks, the credit bureau is the provider. If a bank develops its own internal scoring model, the bank is the provider. If the bank modifies a third-party model substantially, it may become the provider of the modified system under Article 25.
Q: Does the AI Act change what information banks must provide to customers denied credit? It reinforces and extends existing obligations. Directive 2008/48/EC already requires explanation of automated credit decisions. The AI Act's transparency requirements under Article 50 add an obligation to inform individuals that AI was used in a decision, alongside the credit directive's explanation requirements.
Q: Is insurance underwriting AI also high-risk? Yes, for life, health, and employment-related insurance. Annex III §5(b) explicitly covers insurance pricing and underwriting decisions. The same provider obligations apply as for credit scoring.
Key Takeaways
- Credit scoring and creditworthiness assessment AI is explicitly classified as high-risk under Annex III §5(b). Full provider obligations apply.
- Algorithmic trading AI is not automatically high-risk but may be captured through the Article 6(1) product component pathway or GPAI model obligations.
- Fraud detection AI requires individual analysis — systems that make autonomous adverse actions affecting individuals' access to financial services are more likely to be classified as high-risk.
- Financial sector AI Act compliance should be mapped against existing model risk management frameworks from EBA, ECB, and national supervisors to identify alignment opportunities.
- Insurance underwriting AI for life, health, and employment-related products is also explicitly high-risk under the same Annex III provision.