Which Fintech AI Systems Are High-Risk Under the EU AI Act?
Credit scoring (Annex III 5(b)) is high-risk; fraud detection is not. Map fintech AI to EU AI Act tiers, obligations, and the 2 December 2027 deadline.
The EU AI Act does not treat financial services AI as a single category. It names two specific fintech use cases as high-risk and leaves the rest of the sector largely outside the high-risk tier — provided companies classify correctly and document why.
That distinction matters. A mid-size lender running six AI systems may find that only one of them triggers the full high-risk obligation stack. A payment company with a fraud-detection model is almost certainly not high-risk on the basis of Annex III at all. Getting this right is not a shortcut for avoiding compliance work; it is how you direct compliance resources where the regulation actually requires them.
This article maps the common fintech AI use cases — credit scoring, fraud detection, robo-advice, AML monitoring, algorithmic trading, insurance pricing, chatbots — to their correct tier under Regulation (EU) 2024/1689. If you are looking for the full governance programme — obligations, documentation packs, the Article 27 FRIA workflow — see EU AI Act for Fintech: Obligations and Governance Programme.
The Two Fintech Use Cases That Are Explicitly High-Risk
Credit Scoring and Creditworthiness Assessment — Annex III, Point 5(b)
Tier: High-risk.
Annex III, point 5(b) designates as high-risk any AI system used to assess the creditworthiness of natural persons or to establish their credit score. This covers consumer lending, credit card approval, peer-to-peer lending services, mortgage origination, buy-now-pay-later decisioning, and any other model whose output determines whether a person gets access to credit and on what terms.
The scope is broader than fully automated decisions. A model that generates a probability-of-default score that a loan officer then uses is within scope if that score materially shapes the outcome. Point 5(b) is triggered by influence over access to an essential service, not by the absence of a human in the loop. Any system that profiles borrowers cannot invoke the Article 6(3) filter; profiling of natural persons is always high-risk regardless.
A regional lender with an in-house credit model, a fintech licensing its scoring engine to banks, and a bank embedding a third-party score into its origination workflow all face Article 6 high-risk classification — though their roles differ. The lender that built the model is the provider under Article 16; the bank deploying it is the deployer under Article 26. A bank that built and uses its own model is both.
The deadline for the full high-risk obligation stack is 2 December 2027, under the Digital Omnibus (political agreement of 7 May 2026) which deferred the original 2 August 2026 date for stand-alone Annex III systems. Given that Article 11 / Annex IV technical documentation and the Article 9 risk management system each take months to assemble properly, starting well before that date is not optional for most firms.
Deployers of creditworthiness systems owe the Article 27 Fundamental Rights Impact Assessment (FRIA) — a structured pre-deployment analysis covering the rights of affected borrowers, the risks the deployment creates, and the mitigations in place. This obligation applies to deployers of Annex III 5(b) systems specifically; it is not a general deployer duty.
Life and Health Insurance Risk and Pricing — Annex III, Point 5(c)
Tier: High-risk.
Annex III, point 5(c) designates as high-risk AI systems used to assess risks and set pricing for life insurance and health insurance. Underwriting models that determine premium levels, risk-band categorisation, or eligibility for cover fall within this point. The same full obligation stack applies as for credit scoring: Article 9 risk management, Article 10 data governance, Article 11 / Annex IV documentation, Article 14 human oversight, Article 43 conformity assessment, and the Article 27 FRIA for deployers.
Note the boundary on the insurance side: point 5(c) covers life and health insurance only. Motor insurance, property insurance, and travel insurance pricing AI are not in Annex III on this basis. Insurance firms operating across lines should not assume sector-wide high-risk classification — they should classify system by system.
Insurers also face a sector-specific intersection with Solvency II and the Insurance Distribution Directive (IDD). The EU AI Act layers on top of those frameworks without replacing them.
Fraud Detection: Explicitly Carved Out of High-Risk
Tier: Generally not high-risk under Annex III.
Annex III, point 5(b) contains an explicit carve-out: AI systems used for the detection of financial fraud are excluded from the creditworthiness/credit-scoring high-risk classification. This was a deliberate legislative choice. Fraud-detection models protect consumers and the financial system rather than making consequential determinations about access to essential services, so they do not create the same fundamental-rights exposure as credit or insurance pricing AI.
In practice: a transaction-monitoring model that flags suspicious payments for review by a human analyst is not high-risk under Annex III. A payment-anomaly detection engine is not high-risk. An account-takeover identification model is not high-risk on this basis.
What remains relevant for fraud-detection AI:
- GDPR Article 22 — if the fraud-detection system produces a decision with significant legal effects on a natural person (for example, an automatic account freeze applied without any human review), that automated decision may engage the GDPR Article 22 right. The EU AI Act high-risk tier and GDPR Article 22 operate independently.
- Article 6(3) documentation — even when a system is out of scope for high-risk, providers benefit from documenting the classification rationale. If a regulator later questions the classification of a fraud model, the documentation shows the analysis was done.
- AML-specific regulation — the Anti-Money Laundering framework (now Regulation (EU) 2024/1624 and AMLD6) imposes its own requirements on transaction monitoring. That framework is separate from the EU AI Act.
Robo-Advice and Algorithmic Investment Recommendations
Tier: Not high-risk under Annex III. Limited-risk (Article 50) if customer-facing.
AI systems that generate investment recommendations or portfolio allocations are not in Annex III. MiFID II suitability and appropriateness requirements apply independently. Where a robo-advisory product interacts with customers in a conversational format, Article 50 limited-risk transparency obligations apply from 2 August 2026 — disclosure only, no conformity assessment.
One classification nuance: a "robo-adviser" that determines whether a natural person qualifies for a financial product — for example, eligibility to open a credit facility — starts to function as a creditworthiness-assessment tool under point 5(b). The function matters, not the product label. Providers of hybrid advice-and-eligibility systems should document a full Article 6 analysis.
AML, Transaction Monitoring, and Algorithmic Trading
Tier: Not high-risk under Annex III.
AML transaction-monitoring and suspicious-activity-reporting systems fall under the same logic as fraud detection: no Annex III point captures them. The applicable compliance framework is the EU AML Regulation ((EU) 2024/1624) and EBA guidelines on machine-learning model risk — not the EU AI Act high-risk stack. Algorithmic trading systems operate on financial instruments rather than natural persons and equally fall outside Annex III. MiFID II (Articles 17 and 19 on algorithmic and high-frequency trading) remains the primary framework. A trading system that also generates personalised client recommendations through a conversational interface may attract Article 50 limited-risk transparency duties from 2 August 2026; the execution layer itself does not.
Credit Decision Chatbots and Customer-Facing AI
Tier: Limited-risk under Article 50. High-risk if creditworthiness function is embedded.
Customer-facing chatbots — loan enquiry assistants, mortgage eligibility guides, general-purpose virtual assistants for banking — fall into the Article 50 limited-risk tier when they interact with natural persons in a text or voice format. The disclosure requirement is clear: users must be informed they are interacting with an AI system. This obligation applies from 2 August 2026.
The classification changes if a chatbot is doing more than answering questions. A chatbot that collects applicant data and runs it through a scoring model to produce a credit recommendation or eligibility output is, in substance, a creditworthiness-assessment system. The delivery mechanism — conversational interface — does not change the underlying function. Providers should classify by what the system does, not what it looks like.
The Tier Map at a Glance
| Fintech AI Use Case | EU AI Act Tier | Annex III Reference |
|---|---|---|
| Credit scoring / creditworthiness assessment | High-risk | Annex III, point 5(b) |
| Mortgage origination decisioning | High-risk | Annex III, point 5(b) |
| Life insurance risk and pricing | High-risk | Annex III, point 5(c) |
| Health insurance underwriting | High-risk | Annex III, point 5(c) |
| Fraud detection / transaction monitoring | Not high-risk — explicit carve-out | Point 5(b) exclusion |
| AML / suspicious-activity detection | Not high-risk | No Annex III point |
| Robo-advisory / investment recommendation | Not high-risk | No Annex III point |
| Algorithmic trading | Not high-risk | No Annex III point |
| KYC / identity document verification (standard) | Not high-risk | No Annex III point applies |
| Customer chatbots (conversational only) | Limited-risk | Article 50 |
| Chatbot with embedded credit eligibility function | High-risk | Annex III, point 5(b) |
| Motor / property / travel insurance pricing | Not high-risk | Point 5(c) does not extend |
The Article 6(3) Filter: When High-Risk Classification Can Be Rebutted
Falling within an Annex III point does not automatically confirm high-risk status. Article 6(3) allows a provider to conclude a system poses no significant risk of harm — provided it satisfies at least one of four conditions: narrow procedural task; improves the outcome of a previously completed human activity; detects decision patterns without replacing or influencing human assessment; or preparatory tasks only.
For most credit-scoring and insurance-pricing AI, the filter is unavailable: these systems profile natural persons, and any system that profiles natural persons is always high-risk regardless. A limited pre-screening tool that only checks whether an application is formally complete — before any human review — might qualify. The exemption claim must be documented in writing, and the provider must still register the system under Article 49.
Sector Overlaps: Where Other Frameworks Intersect
The EU AI Act does not replace sector-specific regulation for financial services. Three frameworks intersect directly with fintech AI governance:
DORA (Regulation (EU) 2022/2554, applicable from 17 January 2025) — financial entities must manage ICT risk, including AI system risk, as part of their operational resilience framework. A lender deploying a vendor credit-scoring model faces both EU AI Act deployer duties and DORA third-party oversight requirements simultaneously; the documentation is distinct but the due-diligence process can run in parallel.
GDPR Article 22 — the right not to be subject to decisions based solely on automated processing with legal or similarly significant effects. Credit and insurance eligibility decisions commonly engage this right. EU AI Act Article 14 (human oversight) is complementary: loan officers with override authority address both the Article 14 requirement and the GDPR Article 22 defence simultaneously. Note that GDPR Article 22 is a GDPR provision; do not confuse the article numbers with those of the EU AI Act.
Consumer Credit Directive II (Directive 2023/2225, in force from November 2025) — creditors must explain the basis for an adverse credit decision to the consumer. An AI credit-scoring system must be able to produce that explanation, which aligns with — but is independent of — the Article 14 interpretability and human-oversight requirements.
Deployer-Specific Obligations for Credit and Insurance AI
Deployers — banks, lenders, and insurers using a third-party system rather than building their own — have a shorter obligation list than providers, but two duties are specific to their fintech position.
Article 27 FRIA. Deployers of creditworthiness (Annex III 5(b)) or life/health insurance pricing (5(c)) systems must complete a Fundamental Rights Impact Assessment before going live. The FRIA maps rights of affected persons, risks, and mitigations, and is updated throughout operation. Article 27(4) permits it to build on an existing GDPR DPIA — a practical efficiency for firms with mature data-protection programmes.
Vendor due diligence. Request the Article 13 instructions for use and the Article 47 EU Declaration of Conformity as standard procurement requirements. A deployer that uses a non-compliant system does not shed liability by pointing to the provider; Article 26 imposes an independent duty to verify compliance.
Penalties
Non-compliance with high-risk obligations (Articles 9, 10, 11, 13, 14, 15, 43, 49) carries fines under Article 99(4) of up to €15,000,000 or 3% of total worldwide annual turnover, whichever is higher. An Article 5 prohibition breach carries the top tier: €35,000,000 or 7% under Article 99(3). Article 99(6) caps fines for SMEs and start-ups at the lower of the percentage or the fixed sum — a meaningful calibration factor for smaller fintech firms whose 3% exposure is well below €15 million.
How Confir Helps
Determining the tier for each fintech AI system requires working through Annex III point by point, then applying the Article 6(3) filter for borderline cases. Confir's classification module does this with plain-English scenarios from the regulation's text — for a credit-scoring model it confirms the Annex III 5(b) classification, derives your role (provider or deployer), and maps the full obligation stack from a single intake. The logic is deterministic and rule-based; same inputs, same output, the rule that fired recorded for audit purposes.
For deployers that need the Article 27 FRIA, Confir generates the structured assessment from the classification output. For providers, the Conformity Package generates the Article 11 / Annex IV documentation pack and Article 47 / Annex V Declaration of Conformity. Start at confir.eu — pricing from €600 per year, credit-card checkout.
Frequently Asked Questions
Is a credit-scoring model always high-risk under the EU AI Act?
Yes, if it assesses the creditworthiness of natural persons or produces scores used in lending decisions. Annex III, point 5(b) names this use case explicitly. The classification applies regardless of whether the decision is fully automated — a model that produces a score that a loan officer then uses is still within scope if the score materially shapes the outcome. The only potential exit is Article 6(3), but any system that profiles borrowers cannot use that filter.
Why is fraud detection not high-risk?
Annex III, point 5(b) contains an explicit carve-out for AI used to detect financial fraud. The legislature's reasoning is clear: fraud-detection models protect consumers rather than determining their access to essential services. A transaction-monitoring system, a payment-anomaly engine, and an account-takeover detection model are all outside the high-risk tier on this basis. They may face GDPR Article 22 obligations if they produce legally significant automated decisions, but the EU AI Act high-risk stack does not apply.
Does life insurance pricing AI have the same obligations as credit scoring?
Yes. Annex III, point 5(c) places life and health insurance risk assessment in the high-risk tier, and the obligation stack is identical: Article 9 risk management, Article 10 data governance, Article 11 / Annex IV documentation, Article 14 human oversight, Article 43 conformity assessment, Article 27 FRIA for deployers. Motor and property insurance pricing AI is not in Annex III on this basis — the carve-out to point 5(c) is specific to life and health.
Does a customer-facing chatbot in banking need a conformity assessment?
No — not on the basis of the chatbot function alone. Chatbots fall under Article 50 limited-risk transparency: users must be told they are interacting with an AI system. That is a disclosure obligation, not a conformity assessment. The answer changes if the chatbot embeds a creditworthiness or eligibility-determination function — in that case, the system is effectively a credit-assessment tool delivered through a conversational interface, and Annex III, point 5(b) applies.
Who owes the FRIA — the bank or the model vendor?
The deployer. Article 27 places the Fundamental Rights Impact Assessment obligation on the deployer of a creditworthiness (Annex III 5(b)) or life/health insurance pricing (5(c)) system — that is, the bank or lender using the AI, not the vendor that built it. The provider's obligation is to complete the conformity assessment (Article 43) and provide clear instructions for use (Article 13). Both parties have obligations, but the FRIA belongs to the deployer.
When do the high-risk obligations apply for fintech AI?
Under the Digital Omnibus (political agreement of 7 May 2026), the application date for stand-alone Annex III high-risk systems — including credit scoring under point 5(b) and insurance pricing under point 5(c) — is 2 December 2027. The original 2 August 2026 date was deferred. Article 50 limited-risk transparency applies from 2 August 2026. Article 5 prohibited practices have been in force since 2 February 2025.
Related guides
- EU AI Act obligations explained
- key compliance requirements
- GDPR and AI Act alignment
- bias risk management standards
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →