AI claims processing in EU insurance: rules and design

Claims AI typically combines five functions. Intake automation: extracting structured fields from claim forms, photos, repair invoices and medical reports. Fraud and anomaly detection: scoring each claim against historical fraud patterns and network connections. Severity and reserving prediction: estimating ultimate cost on first notification. Decisioning: routing low-value low-risk claims to fast-track settlement and complex claims to human handlers. Customer communication: automated status updates and conversational interfaces.

Each function has a different regulatory profile. Intake and communication are mostly governed by GDPR. Fraud screening sits inside the AI Act Annex III 5(b) fraud-detection exception. Severity prediction in life and health insurance touches Annex III 5(b) high-risk pricing. Decisioning that produces an automated denial without human review is the Article 22 GDPR case.

Annex III 5(b) of Regulation (EU) 2024/1689 covers AI systems "intended to be used for risk assessment and pricing in relation to natural persons in the case of life and health insurance". Property and casualty pricing is not included. Fraud detection is excluded by the same provision's carve-out [1].

For life and health claims AI that informs pricing decisions or coverage entitlements, the high-risk classification triggers the full Chapter III obligations: risk-management system, data governance, technical documentation, logging, transparency, human oversight, accuracy and post-market monitoring. For property and casualty, AI Act high-risk does not engage; Solvency II governance and GDPR still do.

EIOPA's 2021 AI governance principles set six expectations: proportionality, fairness and non-discrimination, transparency and explainability, human oversight, data governance, and robustness and performance. The principles apply across the insurance value chain, including claims, and are referenced by national supervisors as the working baseline for AI governance assessments [2].

The principles dovetail with Solvency II Article 41's system-of-governance requirements. Insurers must integrate AI governance into the existing three-lines-of-defence framework: actuarial function and risk management as second line, internal audit as third line, with documented sign-off authority for material model changes.

An automated claims denial that produces a legal effect on the policyholder (rejection of cover, reduced settlement, denial of further benefits) is the textbook Article 22 case. The insurer must rely on contract necessity, implement the right to human intervention and contest, and provide meaningful information about the logic, significance and envisaged consequences.

The 2024 EDPB guidelines clarify that "similarly significant effects" can include settlement delays and partial denials, not only outright rejection. Insurers should map every automated step in the claims journey to either pre-Article-22 (auxiliary processing) or Article-22 (decision-affecting) and apply safeguards accordingly.

Five layers. Document layer with audit trail of every extraction and human override. Fraud-screening layer using the AI Act exception, but with documented governance and SR-11-7-style validation. Severity-and-reserving layer integrated with the actuarial function under Solvency II. Decisioning layer with explicit policy on automated approval bands, mandatory human review thresholds and escalation. Communication layer with Article 50 transparency notices where customers interact with AI.

The most common audit finding is a fast-track approval flow whose policy band has expanded over time without governance review. The score is not the decision; the policy that maps score to action must be documented, periodically reviewed and signed off by the actuarial and risk functions.

Impetora's TRACE methodology applies the same governance discipline that insurer model-risk and actuarial functions expect. Trust covers the contractual and DORA-aligned vendor layer. Readiness produces the workflow audit and document-extraction quality baseline. Architecture covers production-grade design with logging and recoverability. Citations and Evidence covers the audit-trail layer reviewed by EIOPA, national supervisors and internal audit.