Credit scoring, insurance, and essential-service AI

Credit scoring and insurance AI systems are high-risk under the EU AI Act when they evaluate creditworthiness of natural persons or perform risk assessment and pricing for health and life insurance. These uses can materially shape access to loans, policies, housing, or essential services, directly affecting people’s livelihoods and fundamental rights.[1][1]

As a deployer (e.g. a bank or insurer putting the system into service), you must focus on concrete operational steps: ensuring human oversight, demanding technical documentation and bias-testing evidence from vendors, maintaining logs for traceability, and preparing for fundamental rights impact assessments (FRIA) where required. Prohibitions on unacceptable practices (such as certain social scoring) have applied since February 2025. Full high-risk obligations for Annex III systems are scheduled to apply from 2 August 2026, though the Commission has proposed adjustments linked to the availability of harmonised standards and support tools.[2]

This page translates the rules into decision contexts, vendor questions, and internal controls that matter for financial services teams.

Current Law Status (May 2026)

• High-risk classification for AI evaluating credit scores/creditworthiness or used for risk assessment and pricing in health/life insurance is established in Annex III and Recital 58. These systems determine access to financial resources or essential services and can lead to discrimination or exclusion.[1][1]
• Fraud-detection AI for financial services or prudential capital calculations is explicitly carved out from high-risk status.
• Some procedural obligations for credit institutions and insurance undertakings integrate with existing financial services rules (e.g. CRD, Solvency II) to limit duplication in risk management, quality management systems, and monitoring.[3]
• Timeline: Prohibitions and AI system definition apply now. High-risk Annex III obligations are scheduled for August 2026 (Annex I product-safety systems in 2027). The Digital Omnibus proposal would link application dates to readiness of standards and guidance, with possible extension. This is a proposal, not current law.[2]
• Deployers of relevant high-risk systems in banking or insurance must consider FRIA prior to use. No certification is available or required; compliance is evidenced through documentation, testing, and oversight.

We do not provide legal advice. This operational overview draws from official EU sources to help you ask better questions, gather evidence, and build workable processes.

Credit, underwriting, claims, and fraud systems sit at the intersection of essential services and fundamental rights. A denied loan, higher premium, rejected claim, or fraud flag can affect housing, mobility, economic participation, and dignity. The AI Act flags these precisely because the consequences are material and hard to reverse.[4]

Core sensitivities

• Access and pricing consequences: An AI credit score or insurance risk price directly gates financial products. Poor performance can produce widespread exclusion that looks neutral but correlates with protected characteristics (e.g. proxies for race, gender, or socioeconomic status hidden in training data).
• Fairness and non-discrimination: High-quality datasets and bias testing are mandatory for high-risk systems. Historical data often embeds past discrimination; the Act requires mitigation measures.
• Explainability and appeal: Affected individuals need to understand why a decision was made. Internal “black box” scoring that cannot be explained to compliance teams or customers creates regulatory and reputational risk. Deployers must be able to provide meaningful information to individuals.
• Human oversight and override: The system must be designed so a human can interpret outputs, intervene, and override in individual cases. Fully automated decisions without effective oversight fail high-risk requirements.
• Oversight and redress: Deployers of high-risk systems in these sectors often need a FRIA to identify risks to rights such as non-discrimination, data protection, and social rights. Affected people should have practical review or appeal routes.
• Systemic impact: In insurance and credit, models can influence market-wide pricing or availability. Errors or drift over time affect large populations.

These are not abstract legal categories. They translate into real documentation asks, testing regimes, and governance controls you must operate day-to-day. See the detailed breakdown in our guide to /guides/annex-iii-high-risk-ai.

Not every AI feature in financial services triggers the same obligations. Focus on features that influence individual outcomes versus those used for internal fraud detection or prudential calculations (the latter often excluded from high-risk classification).[1]

Priority features

• Scoring models: Credit scores or insurance risk scores that directly feed approval, pricing, or terms decisions. These are the clearest high-risk examples.
• Underwriting support: AI that recommends policy terms, coverage levels, or declinations. If the recommendation materially shapes the final decision offered to a person, it falls under high-risk scrutiny.
• Claims triage: Automated routing or initial scoring of claims that determines speed, depth of review, or likelihood of payment. Strong automation here can affect fairness and explainability.
• Fraud or anomaly support: Many fraud-detection uses are carved out when they serve prudential or regulatory compliance purposes. However, if the system also influences individual customer treatment beyond fraud (e.g. permanent risk flagging), obligations may still apply.
• Recommendation intensity: How strongly the system pushes or auto-applies outcomes matters. A “suggested” score that teams rarely override in practice can be treated as effective decision-making.

For each, vendors must demonstrate data governance, robustness testing, and human-in-the-loop design. Internal teams should maintain override logs, monitor for performance drift, and document actual usage patterns versus vendor claims.

As a deployer you are not required to build the model, but you are responsible for how it is used in the EU. You therefore need specific evidence and capabilities from providers (the entities that develop and place the AI system on the market).[5]

Essential vendor deliverables

• Technical documentation: Instructions for use, intended purpose, known limitations, and performance metrics across demographic groups.
• Dataset and testing evidence: Summary of training data characteristics, fairness/bias testing results, and mitigation steps taken. Request validation against representative EU populations.
• Limitations and residual risks: Clear statements on contexts where accuracy drops, potential proxies for protected characteristics, and scenarios where the model should not be used.
• Governance and monitoring hooks: Logging capabilities, performance monitoring recommendations, and alert mechanisms for drift or anomalies.
• Override and explanation support: API or interface features that allow human review, override with recorded rationale, and generation of customer-facing explanations.
• Conformity and update information: Evidence of the provider’s conformity assessment (or presumption via harmonised standards once available) and a process for notifying deployers of substantial modifications.

Use a structured questionnaire to capture this evidence consistently. Our /guides/ai-vendor-questionnaire provides a practical template tailored to high-risk obligations.

You should also verify that the vendor distinguishes its role (provider) from yours (deployer). Blurring roles creates compliance gaps.

This matrix helps prioritise which systems need the fullest documentation and controls first.

Use this checklist to evaluate internal readiness and vendor alignment. Record evidence for each.

Expand this checklist with questions on data provenance, post-market monitoring plans, and incident reporting procedures.

Credit assessment: A retail bank deploys an AI model that generates a creditworthiness score and recommended loan terms. The model uses alternative data (transaction patterns, utility payments). Under the AI Act this is high-risk. The bank must ensure the vendor supplies dataset fairness metrics, implement human review for scores below a threshold, log all decisions, and prepare a FRIA because it is a private entity providing services that affect fundamental rights. Customer letters must explain key factors influencing the score in plain language.

Insurance underwriting support: An insurer uses an AI tool to recommend premium loadings or declinations for life policies based on lifestyle and health proxies. Because it can materially affect people’s access to coverage and pricing, it triggers high-risk obligations including robustness testing against demographic groups and human override capability. The deployer requests annual re-testing evidence from the vendor and monitors for drift after model updates.

Claim triage or fraud analysis: An AI system routes motor insurance claims into “fast-pay,” “manual review,” or “investigate for fraud” buckets. If the triage directly influences payment speed or likelihood for natural persons, documentation and oversight are required. Purely internal fraud-detection models used for regulatory reporting may benefit from the carve-out, but the bank or insurer must still maintain overall accountability for outcomes.

These examples show how the same legal text produces different operational artefacts depending on deployment context.

Does decision support count if humans still approve? Yes, in practice it often does. If the AI output is the primary or heavily relied-upon input and human review is cursory or rarely results in changes, authorities can view it as the effective decision-maker. Document actual override rates, train reviewers on when and how to intervene, and retain evidence of meaningful human involvement.

What is the key vendor evidence for these systems? Prioritise: (1) technical documentation and instructions for use, (2) fairness and performance metrics across protected groups, (3) clear statement of intended purpose and known limitations, (4) logging and monitoring interfaces, and (5) evidence of the provider’s conformity assessment process. Our vendor questionnaire template helps capture this systematically.

When should a FRIA-style approach start? Start during vendor selection and pilot phases—well before August 2026 deployment. The FRIA identifies specific risks to fundamental rights in your context, evaluates severity and likelihood, and records mitigation steps. Use our /guides/fria-template to structure the assessment. For banking and insurance entities the obligation is explicit for certain high-risk systems.

• Treating every internal AI tool as high-risk while missing actual customer-facing scoring systems that determine loan or policy outcomes.
• Accepting vendor marketing claims (“GDPR compliant therefore AI Act ready”) without demanding the specific technical documentation and testing evidence required.
• Implementing purely automated flows without recorded human oversight or override mechanisms.
• Failing to monitor for performance drift after deployment or model updates.
• Confusing provider and deployer responsibilities, leaving gaps in accountability for post-market monitoring.
• Waiting for final standards or guidance before beginning evidence collection—start building your artefact library now.

1. Inventory all AI systems used for credit scoring, underwriting, claims, or fraud decisions and classify them against Annex III criteria.
2. Send the AI vendor questionnaire to every relevant provider and set a deadline for complete responses.
3. Pilot the FRIA template on your highest-impact use case (e.g. consumer credit scoring).
4. Implement or strengthen human oversight workflows with logged rationales and regular sampling of AI outputs.
5. Establish post-market monitoring: define metrics, review cadence, and escalation paths for accuracy or fairness degradation.
6. Document customer explanation and appeal processes in plain language.
7. Schedule an internal review before the scheduled August 2026 milestone, adjusting for any final timeline clarifications from the Commission.
8. Store all evidence centrally so it can be produced to market surveillance authorities or fundamental rights bodies if requested.

Next step: Map your specific credit or insurance use cases and generate concrete evidence artefacts. Start with our AI Vendor Questionnaire or download a sample high-risk AI readiness report for financial services teams to see the exact outputs and structure you should aim for. This turns regulatory requirements into operational advantage and keeps your documentation audit-ready.