The EU AI Act and Financial Services: What Compliance Teams Need to Know in 2026

AI Regulation Meets Financial Services

The EU Artificial Intelligence Act (EU 2024/1689) entered into force on August 1, 2024, making the EU the first major jurisdiction to establish a comprehensive legal framework for artificial intelligence. While the regulation applies across all sectors, its impact on financial services is particularly significant.

For compliance teams already managing MiCA, DORA, and AML obligations, the AI Act introduces a new layer of requirements that directly affects how financial institutions deploy AI systems for credit scoring, fraud detection, insurance pricing, and customer onboarding.

Key Timeline for Financial Services

The AI Act follows a phased implementation schedule:

• **February 2, 2025**: Prohibited AI practices ban takes effect
• **August 2, 2025**: Obligations for general-purpose AI (GPAI) models apply
• **August 2, 2026**: Full obligations for high-risk AI systems take effect
• **August 2, 2027**: Rules for AI systems embedded in regulated products apply

For financial services, August 2, 2026 is the critical deadline — this is when most obligations relevant to banks, insurers, and investment firms become enforceable.

What Counts as High-Risk AI in Finance?

The AI Act classifies AI systems used in financial services as high-risk under Annex III. Specifically, AI systems used for:

Credit and Creditworthiness Assessment

• Automated credit scoring models
• Loan approval/rejection systems
• Risk assessment tools for lending decisions
• Credit limit determination algorithms

Insurance Pricing and Claims

• AI-driven premium calculation
• Automated claims assessment
• Risk profiling for insurance underwriting
• Fraud detection in claims processing

Investment and Trading

• Algorithmic trading systems using AI
• Robo-advisory platforms
• AI-based portfolio management
• Market risk assessment tools

Customer Due Diligence

• AI-powered KYC/AML screening
• Transaction monitoring systems
• Sanctions screening automation
• Politically Exposed Person (PEP) identification

Core Obligations for High-Risk AI Systems

Financial institutions deploying high-risk AI systems must comply with several key requirements:

1. Risk Management System (Article 9)

Firms must establish a continuous risk management process that:

• Identifies and analyzes known and foreseeable risks
• Estimates and evaluates risks from intended use and reasonably foreseeable misuse
• Adopts appropriate risk management measures
• Tests the system to ensure it performs consistently

This overlaps with DORA's ICT risk management requirements but specifically targets AI-related risks such as bias, accuracy degradation, and unintended outcomes.

2. Data Governance (Article 10)

Training, validation, and testing data must meet strict quality criteria:

• Data must be relevant, sufficiently representative, and as error-free as possible
• Appropriate bias detection and correction measures must be in place
• Personal data processing must comply with GDPR
• Data sets must consider the specific geographic, contextual, and behavioral settings of deployment

For credit scoring models, this means demonstrating that training data does not encode discriminatory patterns based on gender, ethnicity, or other protected characteristics.

3. Technical Documentation (Article 11)

Comprehensive documentation must be maintained including:

• General description of the AI system and its intended purpose
• Detailed information about data governance practices
• Design specifications and development methodology
• Information about system performance and known limitations
• Risk management measures adopted

4. Transparency and User Information (Article 13)

AI systems must be designed to ensure:

• Operations are sufficiently transparent for users to interpret outputs
• Appropriate human-machine interface tools are available
• Users understand the system's capabilities and limitations
• Output confidence levels are communicated where appropriate

For banks using AI in lending decisions, this means being able to explain to customers why a credit application was rejected — not just that the AI said no.

5. Human Oversight (Article 14)

High-risk AI systems must be designed to allow effective human oversight:

• Humans must be able to understand the AI system's capabilities and limitations
• Human overseers must be able to correctly interpret outputs
• Humans must be able to override or reverse AI decisions
• A "stop" mechanism must be available

This is particularly relevant for automated trading systems and credit decision engines where the speed of AI decisions can outpace human review.

6. Accuracy, Robustness, and Cybersecurity (Article 15)

AI systems must achieve appropriate levels of:

• **Accuracy**: Consistent with the intended purpose and stated in documentation
• **Robustness**: Resilience against errors, faults, and adversarial attacks
• **Cybersecurity**: Protection against unauthorized access and data manipulation

This requirement directly connects with DORA's digital operational resilience framework.

How the AI Act Interacts with Existing Financial Regulation

AI Act + MiCA

CASPs using AI for transaction monitoring, market surveillance, or customer risk profiling must comply with both frameworks. Key overlaps:

• MiCA Article 68 requires market abuse detection — AI systems used for this are high-risk under the AI Act
• MiCA's consumer protection requirements align with AI Act transparency obligations
• CASPs using AI for asset classification or valuation face dual compliance requirements

AI Act + DORA

DORA and the AI Act share significant overlap in ICT risk management:

• DORA's ICT risk management framework (Articles 5-16) covers AI systems as part of ICT infrastructure
• DORA's incident reporting requirements extend to AI system failures
• Third-party AI providers may qualify as critical ICT third-party service providers under DORA
• DORA's digital operational resilience testing should include AI system stress testing

AI Act + AML/AMLR

AI-powered AML systems face particular scrutiny:

• Transaction monitoring AI is classified as high-risk
• Customer due diligence automation must meet transparency requirements
• AI-driven suspicious activity detection must allow human override
• Bias in AML screening (e.g., geographic or name-based discrimination) must be actively monitored

Prohibited AI Practices in Financial Services

Since February 2025, several AI practices are already banned:

• **Social scoring**: Using AI to evaluate individuals based on social behavior for financial access decisions
• **Subliminal manipulation**: AI techniques that materially distort financial decision-making without awareness
• **Exploitation of vulnerabilities**: AI systems that exploit age, disability, or economic situation to distort financial behavior
• **Real-time biometric identification**: In publicly accessible spaces (with limited law enforcement exceptions)

Financial institutions should audit existing AI systems to ensure none fall within prohibited categories.

Practical Steps for Compliance Teams

Immediate Actions (Now)

• **Inventory all AI systems**: Catalog every AI system in use, including third-party solutions and embedded AI in vendor products

• **Classify risk levels**: Determine which systems qualify as high-risk under Annex III

• **Audit for prohibited practices**: Verify no current AI deployment falls within prohibited categories

• **Review vendor contracts**: Ensure AI vendors can provide necessary documentation and transparency

Before August 2026

• **Implement risk management**: Establish AI-specific risk management processes that complement existing DORA frameworks

• **Prepare documentation**: Create technical documentation for all high-risk AI systems

• **Train staff**: Ensure human overseers understand AI system capabilities and limitations

• **Test for bias**: Conduct bias audits on credit scoring, insurance pricing, and AML screening models

• **Establish monitoring**: Set up post-deployment monitoring for accuracy degradation and emerging risks

Ongoing

• **Regular reassessment**: AI systems evolve — compliance must be continuously monitored

• **Incident response**: Integrate AI incidents into existing DORA incident reporting frameworks

• **Regulatory updates**: Monitor ESMA, EBA, and EIOPA guidance on AI Act implementation in financial services

Penalties for Non-Compliance

The AI Act establishes significant penalties:

• **Prohibited practices violations**: Up to €35 million or 7% of global annual turnover
• **High-risk system violations**: Up to €15 million or 3% of global annual turnover
• **Incorrect information to authorities**: Up to €7.5 million or 1% of global annual turnover

For financial institutions already subject to MiCA and DORA penalties, AI Act fines represent an additional layer of regulatory risk.

The Bigger Picture: Integrated Compliance

The EU's regulatory approach means financial institutions now face an interconnected web of requirements:

| Regulation | Focus | AI Relevance |

|-----------|-------|-------------|

| AI Act | AI system safety & rights | Direct — governs AI deployment |

| MiCA | Crypto-asset markets | AI used for surveillance & compliance |

| DORA | Digital operational resilience | AI as ICT infrastructure |

| AMLR | Anti-money laundering | AI for transaction monitoring & KYC |

| GDPR | Data protection | AI training data & automated decisions |

The most efficient approach is integrated compliance — building frameworks that address multiple regulatory requirements simultaneously rather than treating each regulation in isolation.

How FinlexPro Helps

Navigating the AI Act alongside MiCA, DORA, and AML requirements requires comprehensive regulatory intelligence. FinlexPro provides:

• Full AI Act text with AI-powered article search and explanations
• Cross-references between AI Act, MiCA, DORA, and AML provisions
• Regulatory updates on supervisory authority guidance and implementation measures
• Gap analysis tools to assess compliance readiness across multiple frameworks

Start your AI Act compliance research with 15 free searches on FinlexPro.