The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024. The rules for high-risk AI systems come into effect in August 2026. For financial institutions, that deadline is not abstract. It applies directly to the AI systems already running inside your organisation.
This post covers what the Act requires of financial services firms, which AI systems are affected, what compliance looks like in practice, and what happens if you miss the deadline.
What the EU AI Act Actually Does
The Act does not ban AI. It classifies AI systems by the risk they pose and assigns compliance obligations accordingly.
Unacceptable risk is prohibited outright. Most of the text addresses high-risk AI systems, which are regulated. A smaller section handles limited-risk systems, subject to lighter transparency obligations. Minimal risk is unregulated.
For financial institutions, the relevant category is almost always high-risk. The systems you rely on for credit decisions, fraud detection, and insurance pricing sit squarely in that bracket.
Which Financial AI Systems Are High-Risk
Annex III of the Act explicitly designates the following financial use cases as high-risk: credit scoring and creditworthiness assessment, insurance pricing and risk assessment for life and health insurance, and fraud detection in certain contexts.
Specifically, the Act covers AI systems intended to evaluate the creditworthiness of natural persons or establish their credit score, with the exception of AI systems used for the purpose of detecting financial fraud, and AI systems intended to be used for risk assessment and pricing in relation to natural persons in the case of life and health insurance.
Note the fraud detection exception. A standalone AI fraud detection tool may not automatically qualify as high-risk under Annex III, but it may still trigger obligations under other provisions depending on how it processes personal data.
Many of the AI use cases common in fintech, including credit scoring, loan approval, fraud detection, AML risk profiling, and automated decision-making that affects access to financial services, are explicitly classified as high-risk AI systems under the Act.
EU AI Act High-Risk Classification for Finance
| AI System | High-Risk? | Key Article |
|---|---|---|
| Credit scoring / creditworthiness | Yes | Annex III |
| Life and health insurance pricing | Yes | Annex III |
| AML risk profiling | Yes (individual profiling) | Annex III |
| Fraud detection (standalone) | Conditional | Annex III exception |
| Customer service chatbot | No (limited risk) | Article 50 |
| Internal process automation | No (minimal risk) | N/A |
| KYC / identity verification (biometric) | Yes | Annex III |
Key EU AI Act Enforcement Deadlines
The obligations under the EU AI Act will be phased in over several years, with key milestones as follows: by 2 February 2025, prohibited AI practices must cease and AI literacy obligations will begin; by 2 August 2025, governance provisions and obligations for general-purpose AI models will come into effect; by 2 August 2026, high-risk AI systems in the financial sector must comply with specific requirements; and by 2 August 2027, the remaining provisions will become fully applicable.
Recent regulatory developments have introduced uncertainty into this timeline. The European Commission proposed a Digital Omnibus package in late 2025 that could postpone high-risk obligations for Annex III systems until December 2027. However, organisations should not assume this extension will materialise — prudent compliance planning treats August 2026 as the binding deadline.
EU AI Act Timeline Summary
| Date | Obligation |
|---|---|
| 2 February 2025 | Prohibited practices must stop. AI literacy obligations begin. |
| 2 August 2025 | Governance rules and GPAI model obligations apply. |
| 2 August 2026 | High-risk AI system requirements enforceable. |
| 2 August 2027 | Remaining provisions, including product-embedded AI. |
What High-Risk EU AI Act Compliance Requires
High-risk AI systems must comply with stringent requirements: automated logging, risk management systems, data governance, technical documentation, transparency obligations, and human oversight.
Breaking these down for a financial institution:
Risk management system (Article 9): A documented, continuous process for identifying and mitigating risks associated with each high-risk AI system throughout its lifecycle. This is not a one-time assessment. It runs from development through decommissioning.
Data governance (Article 10): Training, validation, and testing datasets must be relevant, representative, and free of errors to the extent possible. For credit scoring models, this means documented data lineage and bias testing.
Technical documentation (Article 11): Before placing a high-risk system on the market, providers must produce documentation sufficient for regulators to assess compliance. This includes system architecture, training methodology, performance metrics, and intended use.
Transparency and instructions for use (Articles 13-14): Deployers must receive sufficient information to use the system correctly. Affected individuals have rights to explanation — any person subject to a decision based on high-risk AI that significantly affects them is entitled to a clear explanation covering the AI system’s role in the decision-making process, the main parameters that influenced the system’s output, and human oversight involved in reaching the final decision.
Human oversight (Article 14): High-risk systems must be designed so that human oversight is possible and meaningful. A human must be able to understand, monitor, and where necessary override the system’s output.
Accuracy, robustness, and cybersecurity (Article 15): Systems must perform consistently and resist adversarial inputs.
Conformity assessment and EU database registration: Before deployment, high-risk AI systems must complete a conformity assessment and be registered in the EU database.
Who Is Responsible: Providers vs Deployers
The Act distinguishes between providers (those who build the AI system) and deployers (those who use it in a professional context). Both have obligations, but the burden falls more heavily on providers.
In credit underwriting, where customisation and retraining of AI systems are common, financial institutions must understand when they cross the threshold from being a deployer to a provider. This distinction should guide both legal compliance strategies and internal governance reforms.
If your institution takes a third-party credit scoring model and retrains it on your own data, you may have crossed from deployer to provider. That changes your compliance obligations significantly.
Where deployers control input data, they are responsible for ensuring its relevance and representativeness. They must continuously monitor system performance and report serious incidents without delay. Deployers must retain system logs and comply with transparency obligations towards affected individuals.
EU AI Act Interaction with Existing Financial Regulation
The AI Act does not replace existing financial services regulation. It layers on top of it.
The AI Act expressly points to existing EU financial services laws, including directives that contain the internal governance and risk management requirements for financial services entities. The existing requirements in EU financial services law will be expected to apply to financial services entities when they make use of AI systems.
Enforcement under the AI Act will therefore fall to the financial services authorities of member states and the European Banking Authority, European Securities and Markets Authority, and European Insurance and Occupational Pensions Authority.
This means your EBA, ESMA, or EIOPA supervisor is also your AI Act supervisor. Compliance failures may trigger both AI Act penalties and sector-specific enforcement actions simultaneously.
The Digital Omnibus proposal introduced in November 2025 introduces a single incident reporting point and aligns breach notification thresholds and timelines, reducing compliance burdens and clarifying the use of personal data in AI, including for creditworthiness assessments. This proposal is still under legislative procedure as of March 2026.
What Penalties Can Be Expected?
Penalties for non-compliance are significant: up to €35 million or 7% of worldwide turnover for prohibited practices, up to €15 million or 3% for other infringements, and up to €7.5 million or 1% for supplying incorrect or misleading information. The penalties apply to both EU and non-EU based companies offering AI systems in the EU.
The extraterritorial reach matters. A US-based company using AI for loan approvals that serves European customers falls within scope, even if the AI models run on servers outside Europe.
What to Do Before August 2026
Until 2 August 2026, organisations should classify all AI systems, assess whether they fall under high-risk or prohibited categories, and implement relevant measures for risk management, human oversight, data governance, and transparency. By 2 August 2026, conformity assessments should be completed, technical documentation finalised, CE marking affixed, and EU database registration for high-risk systems completed. After 2 August 2026, organisations should continuously monitor regulatory updates, respond to consultations, cooperate with authorities, report incidents promptly, and update compliance processes.
A practical sequence for a financial institution:
- Build an AI inventory across all business units — many institutions have more AI systems in production than their compliance teams are aware of.
- Classify each system against the Annex III criteria. Document the classification decision either way.
- For each high-risk system, assign a responsible owner and begin the risk management and documentation process.
- Audit data governance for training and validation datasets, particularly for credit and insurance models.
- Design or verify human oversight mechanisms for each high-risk system.
- Complete conformity assessments and register in the EU AI database before the August 2026 deadline.
EU AI Act Definitions Worth Knowing
Provider: An organisation that develops an AI system and places it on the EU market under its own name or trademark, or has it developed for this purpose.
Deployer: An organisation that uses an AI system in a professional capacity within the EU.
High-risk AI system: An AI system listed in Annex III of the Act, or one that serves as a safety component of a product covered by EU harmonisation legislation listed in Annex I.
GPAI model: A general-purpose AI model trained on large amounts of data, capable of performing a wide range of tasks, such as large language models. Separate obligations apply from August 2025.
Conformity assessment: The process by which a provider demonstrates that a high-risk AI system meets the requirements of the Act before placing it on the market.
Technical documentation: A structured set of documents demonstrating how a high-risk AI system was built, trained, tested, and is intended to operate — required before deployment.
FAQ
Does the AI Act apply to AI systems deployed before August 2026?
Yes. Obligations under the Act apply to all operators of high-risk AI systems in place before 2 August 2026. Systems already in production are not exempt.
Is fraud detection always high-risk?
\Not automatically. The Act creates an exception for AI systems used specifically to detect financial fraud. However, if a fraud detection system also profiles individuals across broader behavioural or economic characteristics, it may fall back into the high-risk category. Each system needs individual assessment.
What if we use a third-party AI model from a vendor?
The deployer obligations still apply to your institution. You must receive adequate technical documentation from the vendor, ensure human oversight is possible, monitor performance, and retain logs. If you retrain or significantly modify the model, you may become the provider.
How does the AI Act interact with GDPR?
The frameworks overlap. If deployers of high-risk AI systems are required to perform a Data Protection Impact Assessment under GDPR, they should use information provided by the provider under Article 13 of the AI Act. A single coordinated process covering both obligations is more efficient than running them separately.
What does the Digital Omnibus proposal change?
The proposal, introduced in November 2025, could extend certain high-risk deadlines and simplify incident reporting. It is not yet law. Treat August 2026 as the operative deadline until the proposal is formally adopted.
Who supervises AI Act compliance in the financial sector?
Your existing sector regulator — the EBA for banks, ESMA for investment firms, EIOPA for insurers — plus national competent authorities designated under the Act. The AI Office at EU level oversees GPAI models.
Are non-EU financial institutions subject to the Act?
If their AI systems are used within the EU or produce outputs that affect EU residents, yes. The Act’s reach mirrors the GDPR’s approach to extraterritorial application.
This post is based on Regulation (EU) 2024/1689 (the EU AI Act), guidance published by the European Banking Authority, and analysis from K&L Gates (January 2026), Goodwin Law (August 2024), and the European Commission’s AI Act information platform (digital-strategy.ec.europa.eu). It does not constitute legal advice. Consult qualified legal counsel for advice specific to your organisation.