EU AI Act · Sector Guide

EU AI Act for Fintech and AI Companies: Your Specific Obligations

The EU AI Act treats fintech and AI-native companies as high-priority compliance targets. Credit scoring, fraud detection, GPAI platforms, and customer-facing AI chatbots all carry specific obligations. Here is what applies to you and when.

Better Societies · Updated June 2026 · 9-minute read

Why fintech and AI companies are especially exposed

Fintech and AI-native companies face higher EU AI Act exposure than most sectors for three reasons. First, financial services AI systems, including credit scoring and insurance risk assessment, are explicitly listed in Annex III as high-risk uses. Second, GPAI model developers face a distinct set of obligations regardless of risk tier. Third, customer-facing AI interactions carry Article 50 transparency obligations that apply to the August 2, 2026 deadline without any grace period.

The jurisdictional reach is also unusually broad: any company whose AI output affects persons in the EU is in scope, regardless of where the company is registered. A US fintech lending to EU borrowers through an AI credit model is fully in scope.

Scenarios by company type

Fintech lender using AI credit scoring

High-Risk (Annex III)

AI systems used to evaluate creditworthiness or credit scores are explicitly listed as high-risk in Annex III, Category 5 (essential private services). This includes automated loan approval, risk-based pricing, and credit limit decisions.

What you must do:

  • Complete technical documentation of your scoring model: architecture, training data provenance, validation methodology, performance metrics
  • Establish a quality management system covering data governance and model updates
  • Implement human oversight for decisions that significantly affect applicants
  • Conduct conformity assessment (self-assessment via Annex VI in most cases)
  • Register in the EU AI Act database before placing the system in EU market use
  • Inform applicants when AI is used in a credit decision (Article 50 transparency)
  • Establish post-market monitoring to detect drift and unintended discrimination

Note: If your credit model interacts with GDPR-regulated automated decision-making under Article 22, the two frameworks run in parallel. EU AI Act obligations layer on top, they do not replace GDPR rights.

AI fraud detection in payments or banking

Likely High-Risk (Annex III)

Fraud detection AI that triggers account freezes, payment blocks, or customer exclusions can qualify as a high-risk system under Annex III Category 5 (essential services). The key test is whether the AI's output materially affects an individual's access to financial services.

What you must do:

  • Assess whether your system's outputs constitute consequential decisions about persons' access to services
  • If high-risk: complete technical documentation including false positive rates, demographic performance breakdowns, and appeal mechanisms
  • Ensure human review is available for consequential fraud decisions affecting natural persons
  • Document how the model was trained and what safeguards prevent systematic bias against protected groups

GPAI model developer or fine-tuner

GPAI Obligations

If you develop a GPAI model, fine-tune a foundation model and release it as a distinct offering, or operate a GPAI-based service, Article 53 obligations apply from August 2, 2026, regardless of risk tier.

What you must do (all GPAI providers):

  • Prepare and maintain technical documentation describing model architecture, training data, compute used, capabilities and limitations
  • Publish a summary of training data sources
  • Implement a copyright policy that respects EU law
  • Provide downstream providers and deployers with transparency information about capabilities and limitations
  • Publish or make available an acceptable-use policy

Additional obligations for systemic-risk GPAI (10^25 FLOPs training threshold):

  • Notify the EU AI Office before placing on market
  • Conduct adversarial testing (red-teaming) before deployment and after significant updates
  • Implement cybersecurity measures proportionate to systemic risk
  • Report serious incidents to the EU AI Office within two business days

AI-powered customer service or sales chatbot

Limited-Risk (Art. 50)

Customer-facing chatbots and voice agents that interact with natural persons must comply with Article 50 transparency obligations from August 2, 2026. This is the most common compliance gap in fintech companies.

What you must do:

  • Inform users clearly and at the start of interaction that they are speaking with or reading an AI system
  • Disclosure must be in plain language, not buried in terms of service or tooltips
  • Exception: if it is "obvious from context" that the user is interacting with AI (this is a narrow exception; a chat interface with a human name does not qualify)
  • If the chatbot generates content that a real person might believe was written by a human, additional deepfake/synthetic media disclosure may apply

This obligation applies to all chatbots regardless of size of company or whether the underlying model is built in-house or accessed via API.

B2B SaaS AI platform with EU customers

Provider + Deployer split

B2B AI platforms face a complex compliance position: they are a provider under the AI Act for the AI systems they develop and place on the market, but their customers are deployers who have their own obligations. You cannot contractually transfer all obligations to your customers.

What you must do as provider:

  • Classify each AI system or feature you offer against the risk tiers
  • For high-risk systems: complete technical documentation and conformity assessment before offering in EU market
  • Provide deployer customers with instructions for use that cover capabilities, limitations, and human oversight requirements
  • Establish a post-market monitoring system and customer reporting process for incidents
  • Your EU standard contractual terms need clauses allocating obligations correctly between provider and deployer roles

The third-party AI question: using GPT, Claude, or Mistral APIs

Many fintech and AI companies use third-party foundation models via API (OpenAI, Anthropic, Mistral, Cohere, etc.) as the underlying engine for their products. A common misconception is that the model provider handles all AI Act compliance.

Under the AI Act, you are the provider of the AI system you build on top of third-party models. The underlying model provider has their own GPAI obligations, but you retain obligations as provider of the overall system. Specifically:

What the €15 million question means in practice

Penalties for Annex III non-compliance and most other AI Act violations reach €15 million or 3% of global annual turnover, whichever is higher. For a Series B fintech with €20 million in annual revenue, that is €600,000 in potential fines for a single non-compliant system. For a company with €200 million revenue, it is €6 million.

National market surveillance authorities will prioritize sectors with high consumer impact, which means financial services AI is on the short list. The FCA in the UK has already signaled parallel review of AI in financial services, creating a dual regulatory exposure for UK-incorporated fintechs with EU operations.

The employer AI gap: AI used for employee recruitment, screening, performance monitoring, and task allocation is also Annex III high-risk (Category 4). If you use AI in HR, people analytics, or workforce management for EU employees, you have a separate set of obligations from the customer-facing AI analysis above.

Related EU AI Act Resources

Know exactly where your company stands

Start with the free Risk Classifier to find out your tier and obligations in 90 seconds. Then book a compliance assessment if you need a full conformity package for your fintech or AI platform.

Use the free Risk Classifier Book a compliance assessment