EU AI Act compliance for banking AI in 2026

Annex III, point 5(b) of Regulation (EU) 2024/1689 covers AI systems "intended to be used to evaluate the creditworthiness of natural persons or establish their credit score, with the exception of AI systems used for the purpose of detecting financial fraud" [1]. The named carve-out for fraud detection is meaningful in banking - transaction monitoring, anti-money-laundering screening, and fraud-scoring AI used to flag transactions for human review sit outside the high-risk band by explicit exception, even though they involve scoring natural persons.

Inside the high-risk band: retail credit underwriting AI, behavioural scoring used in pricing or limit-setting, AI-driven affordability assessments, and propensity models that feed legally-significant decisions. SME and corporate credit AI involve legal persons rather than natural persons in the borrower role; the Annex III text refers to "natural persons" specifically, so corporate credit AI is generally outside the high-risk band but inside the EBA model-risk and ICRG governance framework [3].

Article 43 of the AI Act provides a special route for credit institutions. Article 43(2) allows banks regulated under Directive 2013/36/EU to integrate the AI conformity assessment into the existing internal control framework required by that Directive, rather than running a parallel internal-control procedure under Annex VI. The result is one assessment, not two, but the assessment has to satisfy both regimes [1].

The practical evidence is the integrated Annex IV technical documentation pack plus the EBA-aligned model risk management evidence: the model inventory entry, the model validation report from the independent validation function, the Board-level model risk governance approval, the use-case statement, and the ongoing monitoring plan. The EU declaration of conformity under Article 47 references both legal bases. The Article 49 EU database registration applies. The Article 72 post-market monitoring obligation applies on top of the EBA monitoring expectations.

Three filters in sequence. First, function. Creditworthiness or credit scoring of a natural person triggers point 5(b); fraud detection is excluded by name; transaction monitoring for AML purposes is generally outside the high-risk band. Second, the natural-person test. SME and corporate credit AI is not in scope where the borrower is a legal person, even though the underlying directors or guarantors are natural persons. Third, the Article 6(3) carve-out for narrow procedural tasks, improvements on a completed human activity, pattern detection without replacing the human assessment, and preparatory tasks - applied with documented reasoning in the technical file.

The interaction with EBA model risk management is the part that catches banks. The EBA Guidelines on internal governance, the IRB model risk principles, and the SREP supervisory review process all require model-level documentation, validation and ongoing monitoring regardless of whether the model is technically "AI." A 2026 deployment that is high-risk under the AI Act and inside the IRB perimeter has to satisfy the AI Act technical documentation, the EBA validation expectations, and the SREP supervisory dialogue. DORA layers operational resilience expectations on top, including ICT third-party risk management when the AI is sourced from a vendor classified as a critical ICT third-party [4].

Annex IV of the AI Act sets the contents [1]. For banking AI the binding parts are Article 10 data governance, Article 14 human oversight, and Article 15 accuracy and robustness. Training data must be representative across the bank's actual portfolio. A model trained on the prime-segment book will discriminate when applied to subprime; a model trained on a single-Member-State book will mispriced when applied across the Single Market. The technical file has to evidence portfolio-representative training and out-of-distribution validation.

The Basel Committee's 2024 paper on the digitalisation of finance and the BCBS principles for the sound management of operational risk converge on the same expectations from a prudential angle: Board-level model governance, an independent validation function, change management for model updates, and incident reporting [2]. The EBA's report on big data and advanced analytics, while older, is the canonical regulator-side reading of how these expectations apply to AI specifically [3].

Article 14 expects a designated reviewer with the competence, authority and information to override. For high-volume retail credit, the operational pattern is sampled review with full review of edge cases - declines near the threshold, approvals for atypical applicants, output below a confidence band - rather than 100% review. The threshold itself is a control. EBA expects the threshold and the review architecture to be documented and tested. GDPR Article 22 prohibits decisions based solely on automated processing producing legal or similarly significant effects unless one of the three exemptions applies; the CJEU C-634/21 (SCHUFA) decision clarified that a score handed to a third party who relies on it strongly can be the Article 22 decision [5].

Article 86 of the AI Act, applying from 2 August 2026, gives the data subject the right to a clear and meaningful explanation of the role of the AI in the decision and the main elements of the decision. For credit decisions this is a designed artefact: the features used, the model output, the human reviewer's decision and reasoning, and the alternative outcomes considered. Build the artefact at design time.

Impetora ships every banking AI system with a written risk classification analysis (point 5(b) yes or no, with the natural-person and function reasoning written out), a data-governance description aligned with Article 10 plus the EBA loan origination and IRB model risk expectations, an integrated Annex IV plus EBA model file under the Article 43(2) route, a human-oversight design spec mapped to Article 14, GDPR Article 22 and the SCHUFA case, an Article 86 explanation artefact, a DORA ICT third-party risk register entry where the AI is sourced from an external provider, and a post-market monitoring plan with named drift metrics, owners and reporting cadence.

For deployments inside the IRB perimeter, the technical file is integrated into the bank's existing IRB model documentation rather than produced as a parallel pack. Cross-references: the EU AI Act overview, the banking industry hub, the decision-support AI use case, and the TRACE methodology.