EU AI Act & Insurance: Underwriting, Claims Scoring, and Fraud Detection
Automated underwriting and claims scoring in insurance are firmly in high-risk territory under the EU AI Act. This guide breaks down which systems are high-risk, what technical documentation is required, and how obligations are split between insurers and their software vendors.
Insurance is a data-intensive industry built on risk classification. AI has accelerated every part of the value chain — from underwriting and pricing to claims processing and fraud detection. It has also created a compliance problem that the EU AI Act makes impossible to ignore.
Unlike retail, where most AI tools are minimal risk, insurance AI sits close to — or directly within — the high-risk tier. This guide explains where the lines are drawn, what documentation obligations apply, and how responsibilities are split between insurers (as deployers) and software vendors (as providers).
The Core Classification Issue
The EU AI Act's Annex III §5(b) lists as high-risk any AI system used to:
"evaluate the creditworthiness of natural persons or establish their credit score, with the exception of AI systems used for the purpose of detecting financial fraud"
Insurance underwriting is precisely this: assessing an individual's risk profile to determine whether to offer coverage and at what price. The Act does not say "credit" in the banking sense only — it refers to the broader assessment of individuals' eligibility for and terms of access to financial services, which includes insurance.
The two questions to ask:
- Does the system make or substantially influence a decision about whether an individual receives coverage or what price they pay?
- Does that decision constitute an evaluation of their financial risk profile?
If both answers are yes, the system is high-risk.
Underwriting AI: High Risk by Default
Automated underwriting systems — whether rule-based with ML enhancements, or fully model-driven — evaluate individual risk based on personal data (age, health history, driving record, property location, financial history). The output influences or determines whether a policy is issued and at what premium.
This is squarely within Annex III §5(b). Whether the insurer calls it "underwriting," "eligibility scoring," or "pricing model" makes no legal difference. The function is what counts.
Obligations triggered (for providers of the AI system):
- Full technical documentation per Annex IV (system architecture, training data description, accuracy and robustness metrics, intended purpose, known limitations)
- Implementation of a quality management system (Article 17)
- Conformity assessment before placing the system on the market (Article 43)
- CE marking and EU Declaration of Conformity (Articles 47–48)
- Registration in the EU AI database (Article 71)
Obligations triggered (for insurers as deployers):
- Verify the system has CE marking and compliant documentation before deployment (Article 26)
- Implement human oversight measures (Article 14): a human must be able to review and override automated decisions
- Inform individuals when a decision affecting them was made using a high-risk AI system (Article 86)
- Maintain logs and monitor system performance post-deployment (Article 72)
- Designate a responsible person for oversight
Claims Scoring and Decision Support
Claims scoring systems evaluate the legitimacy of a claim and suggest or determine payout amounts. These sit in a grey zone depending on their architecture and use.
| System type | Risk category | Rationale |
|---|---|---|
| Claims triage / routing tool | Minimal or limited risk | Does not determine payout; routes to human assessor |
| Claims settlement recommendation system | High risk | Influences financial decision affecting the individual |
| Automated claims rejection tool | High risk | Direct decision on individual's access to financial benefit |
| Internal claims workload allocation | Minimal risk | Does not affect individual outcome |
The key variable is consequential impact on the individual. A system that tells a human claims assessor "this claim looks routine" is a workflow tool. A system that calculates a settlement figure and applies it without meaningful human review is making a financial decision — and is high-risk.
Fraud Detection: The Explicit Carve-Out
Article 6 and Annex III §5(b) include a specific exception: AI systems used for the purpose of detecting financial fraud are not classified as high-risk under the creditworthiness/scoring provision.
This matters significantly for insurers. Claims fraud detection tools — systems that flag suspicious patterns in claim submissions — benefit from this carve-out. They are typically minimal risk or limited risk depending on their outputs.
Important nuance: the carve-out applies to the fraud detection function specifically. If a single system both detects fraud and scores claims for payout determination, the payout-scoring component remains subject to high-risk obligations. You cannot use a dual-purpose system to exempt the high-risk function.
Practical implication for InsurTech: keep fraud detection logic and claims decision logic architecturally separate. Document the separation explicitly. This is not just good practice — it is the foundation of a defensible compliance argument.
Interaction with Solvency II
Solvency II (Directive 2009/138/EC) already imposes model governance requirements on insurers — Own Risk and Solvency Assessment (ORSA), internal model validation, and governance frameworks. The AI Act does not replace Solvency II; both frameworks apply concurrently.
There is meaningful overlap in documentation requirements. The AI Act's Annex IV technical documentation and Solvency II's model documentation requirements share common elements: data quality governance, accuracy testing, performance monitoring, and model limitations disclosure.
In practice, insurers should treat the Solvency II model governance infrastructure as the foundation and extend it to meet AI Act requirements. The incremental cost of AI Act compliance is lower for insurers that already maintain rigorous Solvency II documentation than for firms starting from scratch.
Summary Classification Table
| Insurance AI use case | Risk category | Key provision |
|---|---|---|
| Automated underwriting / eligibility scoring | High risk | Annex III §5(b) |
| Premium pricing model (individual) | High risk | Annex III §5(b) |
| Claims settlement recommendation | High risk | Annex III §5(b) |
| Automated claims rejection | High risk | Annex III §5(b) |
| Claims fraud detection (standalone) | Minimal risk | §5(b) explicit carve-out |
| Claims triage / routing | Minimal risk | No Annex III trigger |
| Customer service chatbot | Limited risk | Article 50 (transparency) |
| Internal process automation (non-decision) | Minimal risk | No Annex III trigger |
| Telematics scoring for motor insurance pricing | High risk | Annex III §5(b) |
Provider vs. Deployer: Who Does What
The Act distinguishes between providers (those who develop and place AI systems on the market) and deployers (those who use AI systems in their operations).
For insurance, this means:
InsurTech vendors and software providers are providers. They must ensure their underwriting or scoring systems comply before selling to insurers — including CE marking, technical documentation, and registration.
Insurers using third-party AI tools are deployers. They cannot outsource responsibility entirely. Even if the vendor provides compliant documentation, the insurer must: verify that documentation, implement human oversight, maintain logs, and inform affected individuals.
If an insurer builds its own underwriting AI in-house, it is simultaneously a provider and a deployer, and both sets of obligations apply.
Practical Compliance Steps for Insurers and InsurTechs
For InsurTech vendors:
- Identify all AI systems that perform individual risk assessment, scoring, or pricing
- Complete Annex IV technical documentation for each high-risk system
- Implement quality management per Article 17
- Conduct conformity assessment and obtain CE marking before commercial deployment
- Register in the EU AI database (Article 71)
- Maintain a post-market monitoring plan
For insurers (deployers):
- Audit all AI tools in use and obtain compliance documentation from vendors
- Verify CE marking and EU database registration for all high-risk systems
- Document human oversight procedures per Article 14
- Set up individual notification processes per Article 86
- Establish incident reporting procedures per Article 73
- Cross-reference AI Act documentation with existing Solvency II model governance files
DILAIG maps your insurance AI systems to their risk category, generates Annex IV technical documentation automatically, and tracks compliance status across your vendor portfolio. Start your audit at dilaig.com.