Is credit scoring AI classified as high-risk under the EU AI Act?

Yes. AI systems used to evaluate creditworthiness or establish credit scores are explicitly classified as high-risk under Annex III, point 5(b), triggering full Chapter III compliance obligations.

Does MiFID II apply to AI-driven trading systems?

Yes. Article 17 of MiFID II and RTS 6 apply to all algorithmic trading, including AI/ML-driven strategies. Firms must maintain risk controls, test algorithms, and deploy kill switches.

How does GDPR Article 22 affect AI in financial services?

Article 22 gives individuals the right not to be subject to solely automated decisions with legal effects. Credit decisions and insurance pricing are prime examples, requiring human review mechanisms.

Are AML/KYC screening systems high-risk under the EU AI Act?

AML/KYC systems are not explicitly listed in Annex III, so they are not automatically classified as high-risk. However, they remain subject to AMLD6 requirements and GDPR obligations.

What penalties apply to non-compliant financial AI?

EU AI Act penalties reach up to 3% of global turnover or 15 million EUR for high-risk violations. Financial supervisors can impose additional sector-specific sanctions under CRD, MiFID II, or Solvency II.

Quick answer

AI systems used in banking, insurance, and investment must comply with sector-specific regulations (MiFID II, Solvency II, CRD/CRR) alongside the EU AI Act, which classifies credit scoring and insurance pricing AI as high-risk under Annex III, point 5(b).

Updated June 2026 · MmowW AI Compliance

Financial Regulation and AI: Banking, Insurance, and Investment Compliance

Financial Services AI: A Dual Regulatory Burden

Financial institutions deploying AI face overlapping obligations from sector-specific financial regulation and horizontal AI legislation. The EU AI Act classifies several financial AI applications as high-risk under Annex III, point 5(b), including systems used to evaluate creditworthiness or establish credit scores. Meanwhile, existing financial regulation under MiFID II, Solvency II, and the Capital Requirements Directive already imposes model governance requirements that partially overlap with AI Act obligations.

The European Banking Authority (EBA), European Securities and Markets Authority (ESMA), and European Insurance and Occupational Pensions Authority (EIOPA) have each issued guidance on AI use within their respective sectors, adding further compliance layers.

High-Risk AI in Finance Under the EU AI Act

Financial Application	EU AI Act Classification	Sector Regulation
Credit scoring / creditworthiness	High-risk (Annex III, 5(b))	CRD/CRR, Consumer Credit Directive
Insurance risk pricing	High-risk (Annex III, 5(b))	Solvency II (Directive 2009/138/EC)
Algorithmic trading	Not listed in Annex III	MiFID II Article 17, RTS 6
AML/KYC screening	Not listed in Annex III	AMLD6 (Directive 2024/1640)
Fraud detection	Not listed in Annex III	PSD2 (Directive 2015/2366)
Robo-advisory	Not listed in Annex III	MiFID II suitability requirements

Credit Scoring Obligations

Credit scoring AI systems must satisfy the full Chapter III requirements of the EU AI Act: risk management (Article 9), data governance (Article 10), technical documentation (Article 11), automatic logging (Article 12), transparency to deployers (Article 13), human oversight mechanisms (Article 14), and accuracy/robustness/cybersecurity (Article 15).

Additionally, GDPR Article 22 grants data subjects the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Credit decisions fall squarely within this provision. Institutions must either obtain explicit consent, ensure the decision is necessary for contract performance, or operate under Member State law that provides suitable safeguards. In all cases, meaningful human review must be available upon request.

Algorithmic Trading Requirements

While algorithmic trading systems are not classified as high-risk under the EU AI Act's Annex III, they remain subject to stringent MiFID II requirements. Article 17 of MiFID II and RTS 6 (Commission Delegated Regulation 2017/589) mandate that investment firms using algorithmic trading must maintain effective systems and risk controls, test algorithms before deployment, deploy kill switches, and report to competent authorities. Firms must maintain records of all algorithmic orders for at least five years.

ESMA has indicated that AI-driven trading strategies fall within the MiFID II algorithmic trading framework regardless of whether the underlying models use machine learning or traditional statistical methods.

Insurance Underwriting AI

AI used for insurance risk assessment and pricing is classified as high-risk under Annex III, point 5(b). Solvency II already requires insurers to validate actuarial models, maintain model governance frameworks, and document model limitations. The EU AI Act adds requirements for data governance in training datasets, transparency to deployers, and human oversight that go beyond existing Solvency II obligations.

EIOPA has specifically cautioned against AI models that use proxy variables correlated with protected characteristics (such as postcode as a proxy for ethnicity), as this may violate both the EU AI Act's non-discrimination requirements and the Insurance Distribution Directive (Directive 2016/97).

Model Risk Management

The EBA's guidelines on internal governance (EBA/GL/2021/05) and the ECB's Guide to Internal Models require banks to maintain comprehensive model risk management frameworks. For AI models, this includes validation of model performance, explainability assessments, ongoing monitoring for concept drift, and periodic model review. These requirements complement the EU AI Act's post-market monitoring obligations under Article 72.

Maintain a model inventory covering all AI/ML models in production
Conduct independent model validation before deployment
Monitor model performance metrics and trigger revalidation when performance degrades
Document model limitations and assumptions
Establish clear escalation procedures for model failures

Cross-Border Compliance

Financial institutions operating across jurisdictions must reconcile EU requirements with national implementations and third-country rules. The UK Financial Conduct Authority (FCA) has published AI guidance under its existing regulatory framework without introducing AI-specific legislation. The US Office of the Comptroller of the Currency (OCC) issued SR 11-7 on model risk management, which applies to AI models used by supervised institutions. Singapore's MAS has published its Fairness, Ethics, Accountability and Transparency (FEAT) principles for AI in financial services.

Practical Compliance Steps

Financial institutions should begin by mapping all AI systems against both EU AI Act classifications and applicable sector regulation. Identify systems that fall under Annex III, point 5(b) and initiate Chapter III compliance programs. For algorithmic trading systems, verify that existing MiFID II compliance covers AI-specific risks such as emergent behavior in reinforcement learning models. Establish a unified model governance framework that satisfies both financial supervisory expectations and EU AI Act requirements, avoiding duplicative compliance workstreams where possible.

Check your AI compliance readiness — free.

Take the Readiness Check 3 minutes · 10 questions · no signup required

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.