AI credit decisioning fairness: what EU rules require

Fairness in this context is a regulatory term combining several legal obligations. First, prohibition of discrimination on protected grounds (Article 21 of the Charter, the Race Equality Directive 2000/43/EC, the Gender Goods and Services Directive 2004/113/EC). Second, the Article 22 GDPR safeguards on solely-automated decisions. Third, the AI Act's data governance and bias-testing duties under Article 10. Fourth, the EBA guidelines' expectation that automated models be challenged for unintended outcomes.

Statistical fairness metrics (demographic parity, equalised odds, calibration) are tools used to evidence compliance with these obligations. None of them is itself a legal standard.

In December 2023 the Court of Justice ruled in case C-634/21 (OQ v SCHUFA Holding) that the automated establishment of a probability value (a credit score) is itself a "decision based solely on automated processing" under Article 22 GDPR when that score plays a determining role in a subsequent contractual decision [2].

The practical consequence: the credit-scoring step, not just the lender's loan decision, falls inside Article 22. Both the score provider and the lender carry obligations. Banks that use third-party scoring (SCHUFA, Experian, Equifax, national bureaus) must ensure the upstream score complies and that the downstream decision provides Article 22 safeguards.

Article 10 of the AI Act sets data-governance duties for high-risk systems including credit AI: training, validation and testing data must be relevant, sufficiently representative, free of errors as far as possible, and complete. Article 10(5) explicitly permits processing of special categories of personal data where strictly necessary to ensure bias detection and correction.

Article 14 requires effective human oversight. Article 15 requires accuracy, robustness and cybersecurity proportionate to the intended purpose. The combination means that bias testing, including disparate-impact testing across protected classes, is a documented duty rather than a discretionary best practice.

Six controls supervisors expect to see. First, exclusion of protected attributes and validated proxies from features. Second, disparate-impact testing across protected classes at training time and in production monitoring. Third, calibration analysis showing equal predictive validity across groups. Fourth, documented data-governance procedures aligned with Article 10. Fifth, human-oversight policy mapping scores to actions with clear override authority (Article 14). Sixth, customer-facing meaningful information and right-to-contest pathway (Article 22 GDPR).

The most common audit gap is treating bias testing as a one-off pre-launch check. Production drift can introduce disparities a clean development model never showed; without ongoing monitoring, the bank inherits the drift undetected.

Directive (EU) 2023/2225 modernised the EU consumer credit framework. Article 18 covers creditworthiness assessment and explicitly addresses the use of automated processing. Where assessment is conducted through automated processing, the consumer has the right to request human intervention, express their point of view and obtain a clear explanation of the assessment [3].

This is consistent with Article 22 GDPR but adds a sector-specific layer: explicit reference in the credit-agreement disclosures and the right to a clear explanation of the assessment, not merely the logic at large. Banks must update pre-contractual information to reflect the directive's requirements as Member States transpose it through 2026.

Impetora's TRACE methodology builds the four artefacts supervisors examine: a data-governance pack aligned with Article 10, a fairness testing protocol covering disparate impact and calibration across protected classes, a human-oversight policy mapping scores to actions, and a customer-facing explanation framework that satisfies Article 22 and Directive 2023/2225 Article 18. Trust covers the contracting layer (third-party score providers, sub-processors). Citations and Evidence covers the audit trail.