Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NLยทEN
Explainer

AI in credit scoring: high risk under the AI Act

Adopted 2026-06-22 ยท ≈ 2 min read ยท Dirk Baaijen

AI that assesses consumer creditworthiness is high-risk under Annex III of the AI Act. On top of that come GDPR Article 22 (automated decisions) and the prohibition of discrimination. Three regimes at once, with bias control at the core.

Short answer: AI that determines the creditworthiness or credit score of consumers is a high-risk AI system under Annex III of the AI Act. The provider and deployer must therefore comply with the full high-risk regime. At the same time GDPR Article 22 applies, adding requirements for fully automated credit decisions, as does the general prohibition of discrimination. Bias control is the hinge between these regimes.

Why credit scoring is high-risk

Annex III, point 5 of the AI Act expressly lists AI systems used to evaluate the creditworthiness of natural persons or establish their credit score as high-risk. The rationale: an incorrect or biased score shuts people out of finance, housing and basic services. An important carve-out applies to AI used to detect financial fraud โ€” see AI financial fraud detection.

Because of the high-risk classification, the obligations from the high-risk obligations overview apply: a risk management system, data quality, technical documentation, logging, human oversight, robustness and a conformity assessment before deployment.

The overlap with GDPR Article 22

A credit decision based solely on automated processing that significantly affects the data subject falls under GDPR Article 22. This is in principle prohibited unless it is necessary for a contract, authorised by law, or based on explicit consent. In those cases the consumer has the right to human intervention, to express their point of view and to contest the decision.

The well-known Schufa ruling of the Court of Justice (2023) clarified that producing a credit score can itself be an automated decision where lenders rely heavily on it. That considerably broadens the reach of Article 22.

Bias and discrimination

Credit models learn from historical data and may therefore reproduce existing disadvantage. Proxies such as postcode, education or payment behaviour can correlate indirectly with origin, sex or health. The AI Act therefore requires that training, validation and test data are relevant, representative and as error-free as possible, and that possible biases are examined and mitigated. The prohibition of discrimination under EU and national law applies in full on top of the AI Act.

What to do

  • Classify explicitly: record that the system falls under Annex III point 5 and who is provider and deployer.
  • Test data for bias: document provenance, representativeness and the bias analyses performed, including proxy variables.
  • Secure human intervention: set up a genuine review moment for rejections, in line with GDPR Article 22.
  • Be explainable: ensure the consumer receives an intelligible reason for a rejection.
  • Connect the governance: link this to your AI governance framework so that the AI Act, GDPR and discrimination law sit in one control chain.

AI credit scoring is not prohibited, but it is heavily regulated. Steering on model accuracy alone while ignoring bias and explainability runs you into three regimes at once.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act): Annex III classifies creditworthiness assessment of natural persons as high-risk.
  2. https://eur-lex.europa.eu/eli/reg/2016/679/oj
    Regulation (EU) 2016/679 (GDPR): Article 22 on automated individual decision-making, including profiling.

Share on LinkedIn

Read next

U

AI assessments and games in selection: high-risk, validity and accessibility

Gamified and psychometric AI assessments evaluate candidates and are therefore high-risk (Annex III). Three questions are decisive: does it really measure what matters, is it free of bias, and does it not exclude people with a disability? Emotion analysis via image or voice is moreover prohibited.

U

AI and accessibility: the European Accessibility Act and discrimination risks

AI must be usable by people with disabilities. From June 2025 the European Accessibility Act sets accessibility requirements for many digital products and services, while the AI Act counters discriminatory outcomes of AI systems.

U

AI in housing allocation: access to essential services

AI that decides who gets access to housing strikes at the core of the high-risk regime. Annex III of the AI Act covers access to essential private and public services; on top of that, the GDPR prohibits discrimination and sets demands on automated decisions.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.