AI Credit Scoring Under the EU AI Act

Credit scoring has been one of the earliest and most consequential applications of algorithmic decision-making. Long before the current wave of AI, statistical models determined who could access credit, on what terms, and at what cost. Today, machine learning models have made credit scoring faster, more granular, and more complex — processing thousands of variables to generate creditworthiness assessments in milliseconds.

The EU AI Act (Regulation 2024/1689) classifies AI systems used to evaluate the creditworthiness of natural persons or establish their credit score as high-risk under Annex III, point 5(b). This classification reflects the profound impact these systems have on individuals' access to essential financial services — mortgages, personal loans, credit cards, and other forms of credit that enable economic participation.

Why Credit Scoring AI Is High-Risk

The rationale is clear: credit decisions directly affect people's ability to buy homes, start businesses, manage emergencies, and participate fully in economic life. When an AI system denies credit or assigns an unfavourable score, the consequences are immediate and tangible. When it does so based on opaque criteria, irrelevant correlations, or biased training data, the harm is compounded by the individual's inability to understand or challenge the decision.

Historical credit scoring models have been documented to produce discriminatory outcomes — disadvantaging individuals from certain neighbourhoods, ethnic backgrounds, or socioeconomic groups. Machine learning models can amplify these biases by discovering subtle proxies for protected characteristics in the data. A model might never see a person's race directly but could learn to use postcode, purchasing patterns, or social network characteristics as proxies that produce the same discriminatory effect.

The EU AI Act addresses this by imposing rigorous requirements for transparency, data governance, bias testing, and human oversight on credit scoring AI.

Scope: Which Systems Are Covered

The high-risk classification under Annex III, point 5(b) covers AI systems intended to be used to evaluate the creditworthiness of natural persons or establish their credit score, with the exception of AI systems used for the purpose of detecting financial fraud.

This includes:

Traditional Credit Scoring Models Enhanced with AI

Statistical credit scoring models that incorporate machine learning elements — such as gradient boosting or neural network components — fall within scope if they meet the AI system definition under Article 3(1). The regulation's definition is broad: any machine-based system designed to operate with varying levels of autonomy that, based on inference, generates outputs such as predictions, recommendations, or decisions.

Alternative Credit Scoring

AI systems that assess creditworthiness using non-traditional data sources — social media activity, mobile phone usage patterns, online shopping behaviour, utility payment history — are clearly within scope. These systems raise particular concerns about transparency and bias because borrowers often have no visibility into what data is being used or how.

Pre-Approval and Pre-Qualification Systems

AI systems that determine whether to present credit offers to individuals or that pre-screen applicants before formal application are covered if they evaluate creditworthiness or generate credit scores.

Insurance Pricing and Risk Assessment

While insurance is addressed separately in Annex III, point 5(c), AI systems used for insurance pricing that function similarly to credit scoring — assessing individual risk based on personal data — carry analogous high-risk obligations.

Business Lending (Important Limitation)

Note that the classification specifies "natural persons." AI systems used exclusively for assessing the creditworthiness of legal entities (businesses) are not covered by this specific Annex III category. However, AI used for small business lending where the assessment substantially relies on the personal creditworthiness of individual owners may still fall within scope.

Compliance Requirements for Credit Scoring AI

Risk Management System (Article 9)

Financial institutions must establish a continuous, iterative risk management system for their credit scoring AI. This involves:

• Identification and analysis of known and foreseeable risks — including risks of discrimination, inaccuracy, and opacity in credit decisions
• Estimation and evaluation of risks that may emerge when the system is used as intended and under conditions of reasonably foreseeable misuse
• Adoption of appropriate risk management measures — technical safeguards, operational controls, and governance frameworks
• Testing to identify the most appropriate risk management measures, including testing with real-world data that reflects the demographics of the borrower population

For credit scoring, risk identification must specifically address proxy discrimination — the possibility that seemingly neutral variables serve as proxies for protected characteristics such as race, gender, age, or disability.

Data Governance (Article 10)

Data governance is arguably the most critical requirement for credit scoring AI. The regulation requires:

Training data documentation. Providers must document the provenance, characteristics, and composition of training datasets. For credit scoring, this means documenting what historical lending data was used, from what time period, covering which demographic groups, and with what outcome distribution.

Bias assessment. Training datasets must be examined for biases, particularly concerning protected characteristics. In credit scoring, this requires statistical analysis of whether the training data reflects historical lending discrimination — redlining, differential approval rates, or disparate pricing.

Representativeness. Datasets must be sufficiently representative of the population on which the system will be used. A credit scoring model trained predominantly on data from one demographic group cannot be assumed to perform fairly for other groups.

Data quality. Input data must be subject to appropriate quality controls — addressing missing values, outliers, errors, and inconsistencies that could affect the accuracy and fairness of credit decisions.

Technical Documentation (Article 11)

Providers of credit scoring AI must prepare detailed technical documentation including:

• The system's intended purpose and the types of credit decisions it supports
• The development methodology, including model architecture, feature selection rationale, and training process
• Training, validation, and testing data descriptions — including how data biases were identified and addressed
• Performance metrics disaggregated across relevant demographic groups
• Known limitations, conditions for reliable operation, and foreseeable misuse scenarios
• A description of the risk management measures implemented

This documentation must be prepared before the system is placed on the market and kept up to date throughout the system's lifecycle.

Logging and Traceability (Article 12)

Credit scoring AI systems must automatically log:

• Each credit assessment performed and the key factors that influenced the score or decision
• The input data used for each assessment
• The output generated — the credit score, risk classification, or lending recommendation
• The identity of persons involved in human oversight of the decision

These logs are essential for individual rights — enabling consumers to understand why they received a particular credit decision — and for regulatory oversight. Logs must be retained for a period appropriate to the system's purpose and at minimum six months.

Transparency and Explainability (Article 13)

Credit scoring AI must be designed to be sufficiently transparent for deployers (the financial institutions using the system) to understand and appropriately use its outputs. Instructions for use must include:

• Clear description of the factors the model considers and their relative importance
• The level of accuracy the system achieves, including any disparities across demographic groups
• Known limitations and the conditions under which the system may produce unreliable results
• Instructions for human oversight, including when and how to override the system
• Expected input data specifications and how data quality affects outputs

Human Oversight (Article 14)

Credit scoring AI must be designed to allow effective human oversight. This means:

• A human overseer must be able to understand the system's capabilities and limitations
• The overseer must be able to correctly interpret the system's outputs — understanding what a particular credit score means and how reliable it is
• The overseer must have the ability to decide not to use the system's output or to override it for a particular applicant
• The overseer must be able to intervene in or halt the system's operation

This does not necessarily mean every credit decision must be individually reviewed by a human. But it does mean that genuine human oversight mechanisms must exist, particularly for borderline cases and appeals.

Accuracy, Robustness, and Cybersecurity (Article 15)

Credit scoring AI must:

• Achieve and declare appropriate levels of accuracy — with accuracy metrics broken down by relevant population subgroups
• Be robust against errors, inconsistencies, and adversarial manipulation (for instance, applicants attempting to game the scoring system)
• Include cybersecurity protections against unauthorized access to applicant data or manipulation of the model itself

Interaction with Financial Services Regulation

The EU AI Act does not replace existing financial regulation — it adds a new layer of requirements. Credit scoring AI must simultaneously comply with:

GDPR (Regulation 2016/679)

Article 22 of GDPR already regulates automated individual decision-making, including credit scoring. It provides individuals with the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant effects, subject to certain exceptions. Where automated credit decisions are made, GDPR requires appropriate safeguards including the right to obtain human intervention, express a point of view, and contest the decision.

The AI Act's requirements are complementary to but distinct from GDPR obligations. Compliance with one does not guarantee compliance with the other.

Consumer Credit Directive (Directive 2008/48/EC) and Mortgage Credit Directive (Directive 2014/17/EU)

These directives impose obligations related to creditworthiness assessment, pre-contractual information, and adverse action notification. AI-driven credit assessments must comply with these existing frameworks in addition to the AI Act.

Payment Services Directive (PSD2) and Anti-Money Laundering Directives

Where credit scoring AI intersects with payment services or AML obligations, the respective regulatory frameworks apply concurrently.

European Banking Authority Guidelines

The EBA has issued guidelines on loan origination and monitoring that address the use of innovative approaches including AI and machine learning. These guidelines complement the AI Act's requirements and provide sector-specific expectations.

Obligations for Financial Institutions as Deployers

Financial institutions that use credit scoring AI systems developed by third parties (fintechs, credit bureaus, technology vendors) have independent deployer obligations under Article 26:

• Use according to instructions — deploy the system within its documented intended purpose and operating parameters
• Human oversight — assign competent, trained individuals to oversee the system's operation and review its outputs
• Input data quality — ensure the data fed into the system is relevant, accurate, and representative
• Monitoring — continuously monitor the system's performance and report serious incidents or malfunctions
• Inform individuals — where required, inform credit applicants that an AI system is involved in the creditworthiness assessment

Financial institutions cannot outsource their deployer obligations to their AI vendors. Even if the vendor claims AI Act compliance, the deploying institution must independently fulfil its own obligations.

Practical Compliance Steps for Financial Institutions

Inventory your credit scoring AI. Identify every AI system involved in creditworthiness assessment, credit scoring, loan approval, credit limit determination, and pricing. Include systems from third-party providers and credit bureaus.

Conduct bias audits. Test your credit scoring models for disparate impact across protected characteristics. Analyse approval rates, pricing, and score distributions by gender, age, ethnicity, and other relevant dimensions. Document the methodology and results.

Demand documentation from vendors. If you use third-party credit scoring AI, request the technical documentation required under Article 11. Assess whether your vendor can provide the transparency and explainability information you need to fulfil your deployer obligations.

Strengthen explainability. Move beyond generic adverse action notices. Develop capabilities to provide meaningful explanations of individual credit decisions — what factors drove the score, how the applicant compares to the relevant population, and what would need to change for a different outcome.

Establish governance. Assign clear accountability for credit scoring AI compliance. This typically involves collaboration between risk management, data science, compliance, legal, and business units. No single function can own this alone.

Prepare for conformity assessment. Determine whether your credit scoring AI systems require internal conformity assessment or third-party assessment. Begin preparing the required documentation and evidence.

Timeline

Conclusion

AI credit scoring sits at the intersection of financial regulation, data protection law, and now the EU AI Act. For financial institutions, this means compliance is not a single-framework exercise but a multi-dimensional challenge requiring coordinated effort across legal, technical, and operational functions.

The good news is that the AI Act's requirements — transparency, bias testing, data governance, human oversight — align closely with sound credit risk management practices. Financial institutions that already take model risk management seriously will find that much of their existing framework maps to AI Act requirements. The gap is likely in documentation, formal conformity assessment, and the specific transparency and explainability standards the regulation demands.

The institutions that begin their compliance work now will have time to address these gaps methodically. Those that wait until 2026 will face a compressed timeline, higher costs, and greater regulatory risk. In an industry where regulatory compliance is a competitive necessity, early movers have a clear advantage.