Credit and Insurance AI Is High-Risk: What Financial Firms Need to Do

Financial-services firms sometimes read the EU AI Act as someone else's problem, a rule for AI labs rather than for banks and insurers. That reading does not hold. The Act reaches directly into systems firms already run, and in credit and insurance it classifies several of them as high-risk.

Annex III is explicit about creditworthiness and credit scoring, and about risk assessment and pricing in life and health insurance. If a model decides or materially informs whether a person gets a loan, on what terms, or what they pay for cover, it is likely in scope. The classification is functional: it follows what the system does, not what the team calls it.

The complication for financial firms is that they are not starting from a blank page. They already operate under EBA and EIOPA expectations on model governance, and under a thick layer of prudential and conduct rules. The AI Act does not replace any of that, it sits alongside it, and the practical task is to map where the obligations overlap and where the Act adds something genuinely new, such as the fundamental-rights lens and the specific documentation and human-oversight duties.

The documentation burden is real and should not be underestimated. A high-risk model needs the full technical file, data-governance evidence, risk-management records, and human-oversight design, and for firms running dozens or hundreds of models, doing this well at scale is the actual challenge.

That is why prioritisation matters more than completeness on day one. Not every model carries the same exposure. A sensible programme triages the portfolio by risk and reach, addresses the highest-stakes credit and insurance systems first, and builds reusable governance patterns rather than bespoke effort for each model.

A worked example helps make this concrete. A retail bank's credit-scoring portfolio is rarely one model, it is a family of them across products and segments, with shared data and shared governance gaps. Treating the portfolio as a portfolio, rather than as a pile of unrelated systems, is what makes compliance tractable.

Our whitepaper, EU AI Act Compliance in Financial Services, sets out the scope analysis, the EBA and EIOPA interaction, the documentation burden, a worked credit-scoring example, and a portfolio prioritisation approach. The August 2026 high-risk deadline applies to systems already in production, so the runway is shorter than it looks.