Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NLยทEN
Explainer

AI financial fraud detection: the Annex III carve-out

Adopted 2026-06-22 ยท ≈ 2 min read ยท Dirk Baaijen

AI that detects financial fraud is expressly carved out of the high-risk classification for credit scoring in Annex III. The carve-out is narrow: it covers genuine fraud detection, not credit assessment under a fraud label. The GDPR and governance still apply.

Short answer: The AI Act classifies creditworthiness assessment as high-risk, but Annex III point 5(b) makes one explicit exception: AI systems used to detect financial fraud do not fall within that high-risk category. The carve-out is deliberately narrow. It covers fraud detection, not credit assessment presented as fraud detection. The GDPR and sound governance continue to apply in full.

What the carve-out actually says

Annex III, point 5 classifies AI for creditworthiness assessment and credit scoring as high-risk. Immediately after comes the exception: this does not apply to AI systems used to detect financial fraud. The reasoning is that fraud detection protects the consumer and makes the financial system resilient, whereas credit scoring decides on access to services. See also AI in credit scoring, where the main regime does apply.

Why the carve-out is narrow

The exception cannot be used to lift a credit-decision system out of the regime by calling it "fraud detection". What matters is the actual function and the effect on the data subject. A system that in practice decides whether someone gets credit remains high-risk โ€” even if it contains a fraud-risk component. A system that flags anomalous transactions or identity fraud falls under the carve-out. A mixed system must therefore be dissected at function level.

What still applies without high-risk status

Being carved out of Annex III does not mean unregulated. Fraud detection processes personal data and falls fully under the GDPR: legal basis, purpose limitation, data minimisation and transparency. Where the system leads to decisions with significant effects (such as blocking an account) on a purely automated basis, GDPR Article 22 is engaged. In addition, the general AI Act provisions not tied to high-risk apply, as do the sectoral requirements for financial institutions, including operational resilience under DORA.

What to do

  • Test the real function: does the system detect fraud, or does it effectively decide on credit? Document that analysis.
  • Dissect mixed systems at component level and classify each part separately.
  • Stay GDPR compliant: arrange legal basis, purpose limitation and human intervention for intrusive automated decisions.
  • Keep governance in place: include carved-out systems in your AI governance framework too.
  • Ensure explainability: a wrongful fraud flag hits the customer hard; provide remediation and appeal routes.

The fraud carve-out is real but tight. Stretching it to credit decisions slides you into the high-risk regime without a conformity assessment.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act): Annex III point 5(b) carves out AI for detecting financial fraud from the credit high-risk category.
  2. https://eur-lex.europa.eu/eli/reg/2016/679/oj
    Regulation (EU) 2016/679 (GDPR): processing of personal data in fraud detection and automated decision-making.

Share on LinkedIn

Read next

A

AI in onboarding and internal mobility: where is the line?

Talent marketplaces, skills matching and career paths with AI seem neutral, but they reach the high-risk line as soon as they steer promotion or progression decisions (Annex III, point 4). Then the AI Act, GDPR, transparency and equal opportunity apply internally too.

U

AI in housing allocation: access to essential services

AI that decides who gets access to housing strikes at the core of the high-risk regime. Annex III of the AI Act covers access to essential private and public services; on top of that, the GDPR prohibits discrimination and sets demands on automated decisions.

U

AI in insurance: underwriting and pricing

AI for risk assessment and pricing in life and health insurance is high-risk under Annex III of the AI Act. Other lines are not automatically covered, but the GDPR, solidarity rules and the prohibition of discrimination apply broadly.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.