High-Risk under Annex III

Fintech AI is high-risk
under the EU AI Act

Credit scoring, fraud detection, and insurance underwriting AI all fall under Annex III, point 5 (access to essential private and public services). If your AI affects whether individuals get loans, insurance, or financial services, you have 93 days to comply.

Which fintech AI is high-risk?

Annex III, point 5 covers AI used to evaluate creditworthiness, set insurance premiums, or determine access to essential services.

Credit scoring & lending decisions

AI that evaluates creditworthiness, approves or rejects loan applications, or sets credit limits for individuals

Fraud detection affecting individuals

Systems that flag, block, or restrict accounts based on fraud risk scores when those decisions impact access to services

Insurance underwriting & pricing

AI that calculates insurance premiums, assesses risk profiles, or decides coverage eligibility for individual applicants

Benefits eligibility assessment

AI systems that evaluate, grant, reduce, or revoke access to public assistance, benefits, or essential financial services

What's not high-risk in fintech?

Not every fintech AI tool triggers Annex III. The key factor is whether AI decisions directly affect individual access to financial services.

Internal fraud analytics that don't directly affect individual accounts
Market analysis and trading algorithms (B2B, no individual impact)
Anti-money laundering screening (may fall under law enforcement rules instead)
Customer service chatbots (limited risk, transparency obligations only)

Even if your system is not high-risk, transparency obligations under Article 50 may still apply. Run the free classifier to find out.

10 mandatory obligations for high-risk fintech AI

Each must be in place before August 2, 2026. Non-compliance risks fines up to €15 million or 3% of global turnover.

1
Risk management system (Article 9)
2
Data governance & bias documentation (Article 10)
3
Full Annex IV technical documentation
4
Automatic event logging (Article 12)
5
Transparency & instructions for deployers (Article 13)
6
Human oversight measures (Article 14)
7
Accuracy, robustness & cybersecurity (Article 15)
8
Conformity assessment (Article 43)
9
EU database registration (Article 49)
10
Post-market monitoring (Article 72)

Already GDPR compliant?

Some work carries over

If you already meet GDPR requirements, your data governance documentation and DPIA processes will partially cover EU AI Act Article 10 (data governance) and Article 9 (risk management). But the AI Act adds AI-specific requirements that GDPR doesn't cover: bias detection, model accuracy documentation, conformity assessment, and continuous post-market monitoring.

See the full GDPR overlap mapping →

Further reading

EU AI Act for Fintech: Credit Scoring, Fraud Detection, and What's Actually High-Risk

7 min read

EU AI Act Fines: How Much Can You Actually Be Fined?

5 min read

EU AI Act Compliance Checklist for 2026

7 min read

93 days until enforcement

Financial services AI will face heavy regulatory scrutiny from day one. Classify your system now and start generating the compliance documentation you need.