Quick answer

Annex III point 5 of the EU AI Act classifies as high-risk the AI systems used to decide access to essential services: public assistance and benefits eligibility, creditworthiness evaluation and credit scoring, risk assessment and pricing in life and health insurance, and emergency call classification and dispatch. Banks, insurers and public bodies must comply by August 2, 2026.

Updated June 2026 · MmowW AI Compliance

EU AI Act: High-Risk AI in Essential Services — Credit Scoring, Insurance and Benefits

Overview: AI That Gates Access to Essential Services

Annex III point 5 of the EU AI Act (Regulation (EU) 2024/1689) targets a specific kind of power: algorithms that decide whether a person gets a loan, an insurance policy, a social benefit or an ambulance. The European legislator grouped these under access to and enjoyment of essential private services and essential public services and benefits, reasoning that an adverse automated decision in these areas can determine a person's livelihood, housing, health and financial inclusion. From August 2, 2026, these systems carry the full high-risk obligations of Chapter III.

The Four Use Cases in Point 5

The provision lists four distinct use cases:

What This Means for Banks and Lenders

Credit scoring is the highest-volume commercial use case in point 5. Any model that evaluates the creditworthiness of natural persons — application scoring, behavioural scoring used in lending decisions, credit limit setting tied to creditworthiness — is in scope. The fraud detection exception is narrow: it covers AI used to detect financial fraud, not general credit decisioning. Business lending to legal persons is outside point 5, but scoring of sole traders and consumer-like small business owners as natural persons is within it.

For banks, two features of the regulation soften the operational burden. First, Article 17(4) and related provisions let financial institutions satisfy parts of the quality management and monitoring obligations through their existing governance under Union financial services law. Second, under Article 74(6), the market surveillance authority for AI used by regulated financial institutions can be the existing financial supervisor, which means supervision arrives through a familiar channel. Neither feature removes the substantive requirements: bias-tested data governance under Article 10, human oversight that can meaningfully challenge a score under Article 14, technical documentation, logging and registration all still apply.

What This Means for Insurers

Point 5(c) is deliberately limited to life and health insurance. Motor, property and travel underwriting models are not captured by this point, although they remain subject to other law and may be voluntarily aligned through codes of conduct under Article 95. For life and health products, both risk assessment (underwriting, medical risk classification) and pricing models are covered. Insurers should pay particular attention to proxy discrimination: Article 10 requires examination of datasets for possible biases likely to affect health and safety or lead to discrimination prohibited under Union law, and health-correlated variables are full of such proxies. The fundamental rights impact assessment under Article 27 applies to private entities providing essential services, which includes insurers deploying these systems.

What This Means for Public Authorities

Use case 5(a) reaches every layer of the welfare state: eligibility scoring for unemployment support, housing benefit, disability assessments, healthcare entitlements, and systems that flag claims for reduction, revocation or recovery. Several European countries have already experienced public scandals involving automated benefits fraud scoring; point 5(a) is the legislative answer. Public deployers must complete a fundamental rights impact assessment before first use, register their use of the system in the EU database under Article 49(3), and provide for human oversight capable of overturning the system's outputs. Emergency call triage under 5(d) adds a safety dimension: dispatch prioritisation errors can be fatal, so accuracy and robustness evidence under Article 15 must reflect realistic, degraded and high-load conditions.

Provider or Deployer: Know Your Role

Most banks and insurers deploy models developed in-house, which makes them providers and deployers at once — they carry both the conformity assessment duties and the use-phase duties. Institutions that license scoring models or cloud underwriting platforms are deployers, but they should verify the vendor's conformity documentation, CE marking and EU database registration before relying on it. Under Article 25, an institution that puts its name on a third-party system, or substantially modifies one, becomes the provider. Credit bureaus and analytics vendors selling scoring systems into the EU are providers wherever they are established.

Practical Compliance Steps

  1. Inventory every model touching creditworthiness, life and health underwriting, benefits eligibility or emergency dispatch, including vendor systems and spreadsheets-with-models that function as AI systems under Article 3(1)
  2. Confirm classification in writing, including any Article 6(3) derogation analysis — noting that credit scoring and benefits eligibility typically involve profiling of natural persons, which excludes the derogation
  3. Gap-assess against Articles 9 to 15, reusing existing model risk management frameworks where they genuinely cover the requirements
  4. Implement human oversight that is operationally real: staff empowered and trained to override scores, with override rates monitored
  5. Prepare Annex IV technical documentation and register provider-role systems in the EU database
  6. For public bodies and essential service providers, complete the Article 27 fundamental rights impact assessment before deployment

Concrete Example

A mid-sized EU bank uses an in-house gradient boosting model for consumer loan approvals and a vendor system for behavioural credit line management. Both are Annex III 5(b) systems. For the in-house model the bank is provider and deployer: it needs full technical documentation, conformity assessment under internal control, CE marking, registration, and integration of AI risk management into its existing model governance. For the vendor system the bank is deployer: it must obtain the instructions for use, verify the vendor's registration, assign oversight, retain logs and feed serious incidents back to the provider and authorities. If the bank retrains the vendor model on its own data beyond the vendor's specification, it risks becoming the provider of a modified system.

Action Before August 2, 2026

The deadline for Annex III systems is August 2, 2026, and financial services firms face an additional reality: supervisors already expect model governance, so AI Act gaps will read as governance failures. The efficient path is integration, not duplication — map Articles 9 to 15 onto existing credit risk, actuarial and operational risk frameworks, document the deltas, and close them. Penalties for non-compliance with high-risk obligations reach 15 million euros or 3 percent of worldwide annual turnover, whichever is higher, and reputational exposure in consumer finance is arguably larger still.

Interplay With GDPR and the Right to Explanation

Point 5 systems process personal data almost by definition, so the AI Act applies cumulatively with the GDPR. Article 22 GDPR already restricts solely automated decisions with legal or similarly significant effects — which covers most credit denials and benefits decisions — and requires meaningful information about the logic involved. The AI Act adds Article 86: a person affected by a decision taken on the basis of the output of an Annex III high-risk system, which produces legal effects or similarly significantly affects them, has the right to obtain from the deployer a clear and meaningful explanation of the role of the AI system in the decision-making procedure and the main elements of the decision taken.

For lenders and insurers this means explanation capability is now a regulated product feature, not a customer service courtesy. Model documentation must support individual-level explanations that front-line staff can actually deliver. Data governance under Article 10 of the AI Act and data minimisation under the GDPR must be reconciled in the same data pipeline design, and records of processing under the GDPR should be linked to the AI Act technical documentation so that supervisors approaching from either direction find a coherent picture. Institutions that have invested in explainability tooling for supervisory model validation are already most of the way there; the remaining work is turning internal explanations into ones an affected consumer can understand.

A final note on timing and sequencing. Because point 5 systems are typically deeply embedded in core lending, underwriting and claims platforms, the realistic critical path is not the legal analysis but the engineering backlog: instrumenting logging, building override workflows, regenerating documentation for models that were trained years ago, and renegotiating vendor contracts. Institutions that began this work in 2025 report that documentation reconstruction for legacy models is the largest single effort. Those starting in mid-2026 should triage ruthlessly: customer-facing decision systems first, then internal scoring, then peripheral analytics, with a documented remediation plan for anything that cannot be completed by August 2 — supervisors respond better to a credible, dated plan than to silence.

Check your AI compliance readiness — free.

Take the Readiness Check 3 minutes · 10 questions · no signup required

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.