PowerQuantEUSend your AI questionnaire

The AI Act meets financial regulation

Banks and fintech firms already operate under extensive sectoral regulation. Regulation (EU) 2024/1689 of the European Parliament and of the Council (the AI Act) adds a further layer on top of this, with particular focus on how AI systems are used. The Act is an EU regulation and applies directly in the member states; no separate national implementing law is required.

The AI Act does not replace existing financial regulation but complements it. Some requirements, for example around risk management and governance, may in practice partly overlap with requirements that already follow from sectoral rules, but they constitute separate legal bases.

Credit scoring as high-risk under Annex III

Annex III lists areas of use that are classified as high-risk. These include, among others, AI systems intended to be used for the credit scoring and creditworthiness assessment of natural persons. This is central for banks, credit providers and many fintech firms.

When an AI system is used for credit scoring, it falls under the high-risk regime. The obligations for providers of Annex III systems apply from 2 August 2026. There is a proposal, the Digital Omnibus, to postpone these to 2 December 2027 (Digital Omnibus proposal, not yet in force; approved by the European Parliament on 16 June 2026, but the Council awaits publication in the Official Journal). Until then, the date of 2 August 2026 applies.

Roles: provider or deployer

The AI Act distinguishes between the provider and the deployer. A bank that procures and uses a credit scoring system is typically a deployer. The party that develops and places the system on the market is the provider.

Note Article 25: under certain conditions a deployer may be reclassified as a provider, for example if the deployer puts its own name on the system or makes a substantial modification to a high-risk AI system. Such reclassification entails significantly more extensive obligations.

The deployer's obligations under Article 26

For deployers of high-risk AI systems, Article 26 sets out a number of obligations, including to:

  • use the system in accordance with the provider's instructions for use,
  • ensure human oversight by persons with appropriate competence,
  • ensure that input data is relevant in view of the intended purpose of the system, in so far as the deployer exercises control over the input data,
  • monitor the operation and notify the provider and the competent authority in the event of risks or serious incidents.

For credit scoring, the provision of information to the affected natural persons also becomes relevant, in accordance with the Act's provisions on high-risk AI systems.

AML and other use cases

Many banks use AI in anti-money-laundering (AML) measures, transaction monitoring and fraud detection. Whether an individual such system constitutes high-risk under Annex III must be assessed in the specific case based on the system's intended purpose. Regardless of classification, the requirement of AI literacy under Article 4 remains, in force since 2 February 2025, as does the prohibition of the practices in Article 5.

Transparency under Article 50 for chatbots

Article 50 (transparency) applies from 2 August 2026. For banks and fintech this is particularly relevant for chatbots and other conversational interfaces: natural persons must be informed that they are interacting with an AI system, unless this is obvious. In addition, there are requirements to mark certain AI-generated or manipulated content.

Penalties under Article 99

  • Prohibited practices under Article 5: up to EUR 35 million or 7 % of global annual turnover.
  • Infringements of, among others, Article 50 and the high-risk obligations: up to EUR 15 million or 3 %.
  • Incorrect information to authorities: up to EUR 7.5 million or 1 %.

For financial actors with significant turnover, percentage-based fines can become substantial.

Before procurement

  • Map which AI systems are used for credit scoring and check whether they constitute high-risk under Annex III.
  • Determine your role: provider or deployer – and consider reclassification under Article 25.
  • Request the provider's documentation and instructions for use in order to meet Article 26.
  • Ensure Article 50 transparency for chatbots ahead of 2 August 2026.
  • Document AI literacy under Article 4 (cf. PowerQuant Module 1 for AI inventory and Article 4 register).

This page is general information about the AI Act and does not constitute legal advice.