EU AI Act for credit scoring AI: Annex III(5)(b), Article 27 FRIA, and consumer credit law
Credit-scoring AI is one of the few use cases the EU AI Act explicitly requires an Article 27 FRIA for, regardless of deployer type. The full stack of obligations layers AI Act Annex III(5)(b) high-risk + GDPR Article 22 automated-decision-making rights + EU Consumer Credit Directive (2023/2225) creditworthiness assessment rules. Annex III obligations apply from 2 December 2027 under the post-Omnibus timeline.
- Annex III(5)(b): AI used to evaluate creditworthiness of natural persons is high-risk by explicit listing
- Article 27 FRIA required, one of only 2 categories explicitly in scope (alongside life/health insurance (5)(c))
- GDPR Article 22 automated-decision-making rights stack on top, meaningful human review OR Article 22(2) exception required
- EU Consumer Credit Directive 2023/2225 (Article 18, applying November 2026) adds explicit explainability + transparency rights
- Article 4 literacy for credit-decisioning staff: live since 2 Feb 2025
- Full Annex III obligations apply from 2 December 2027 (post-Omnibus)
- Fines stack: AI Act Article 99 Tier 2 (EUR 15M / 3%) + GDPR Article 83 (EUR 20M / 4%) + CCD penalties
- B2B credit decisions are out of scope of Annex III(5)(b), only natural persons
Annex III(5)(b): the explicit creditworthiness category
Article 6(2) + Annex III lists eight categories of standalone high-risk AI systems. Credit scoring is one of the most explicit: Annex III(5)(b) covers AI systems intended to be used to evaluate the creditworthiness of natural persons or establish their credit score.
This captures:
Traditional credit-bureau scoring AI. AI used by credit bureaus or lenders to compute a credit score from financial history, payment patterns, and demographic data.
Mortgage underwriting AI. AI used to assess affordability + default risk for mortgage applications. Material decision-making AI is in scope; pure compliance-check rules engines are not.
Consumer-credit decisioning. AI in personal loan, credit card, BNPL, or revolving credit decision flows. Includes the AI inside an ATS-like system that approves/declines instantly.
Alternative credit scoring. AI using open banking transaction data, behavioural patterns, or non-traditional signals to assess creditworthiness. Still Annex III(5)(b) regardless of input data type.
Embedded AI in BNPL + checkout finance. When a checkout finance provider runs AI to decide whether to extend credit at the point of sale, that’s creditworthiness assessment of a natural person.
B2B credit decisions are not in Annex III(5)(b), the category text is "creditworthiness of natural persons". SME lending, trade credit, corporate credit ratings are outside the explicit list. However: if your SME lending decision factors in personal guarantees from natural persons (often the case), the part of the assessment touching the natural person flips back into scope. Most lenders treat the whole pipeline as high-risk to be safe.
Why Article 27 FRIA is required (not optional)
Article 27(1) sets out two specific categories that must run a FRIA before deployment:
(a) Bodies governed by public law + private entities providing public services. Hospitals, schools, social-security funds, public utilities.
(b) Deployers of Annex III(5)(b) creditworthiness + Annex III(5)(c) life/health insurance AI. Explicit listing. The legislator made a deliberate choice that credit + life-health insurance have particularly acute fundamental-rights impact warranting the explicit FRIA requirement, regardless of public/private status.
Most other Annex III high-risk deployers (HR, recruitment, education, law enforcement etc.) are not in Article 27 scope, they have Article 26 deployer obligations but Article 27 FRIA is a voluntary best-practice document for them. Credit scoring is in the narrow group where the FRIA is legally required.
The six elements of Article 27(1)(a) to (f) are the same regardless of which category triggers the requirement. For credit scoring AI, the typical content:
(a) Processes where used. Where in the credit decision pipeline the AI sits, what input signals feed in, where the output flows next, what human review applies.
(b) Time period + frequency. Volume (decisions per day), period of deployment, expected frequency of model retraining.
(c) Affected persons + groups. All credit applicants, with specific attention to vulnerable subgroups: low-income applicants, applicants with thin credit files, applicants from historically-discriminated demographic groups.
(d) Specific risks of harm. Discriminatory denial (the headline risk), disparate-impact harm on protected groups under Directive 2000/43/EC + Directive 2004/113/EC, financial exclusion from housing/transport/employment access for declined applicants, predatory pricing of borderline-approved applicants.
(e) Human oversight. Who reviews the AI decision, what authority to override, what training the credit officer has, time budget per decision. Critical for GDPR Article 22 compatibility.
(f) If risks materialise. Complaint mechanism, redress process, Article 73 incident reporting flow, retraining triggers if disparate impact detected in post-market monitoring.
For the full FRIA process see our FRIA deep dive.
GDPR Article 22 stacking on top
GDPR Article 22 grants data subjects the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects them. Credit decisions clearly meet that threshold (denial of credit has legal effect on the data subject).
So a credit-scoring AI must either:
Have meaningful human review in the decision loop. The credit officer reviews the AI’s output and has the authority + time + competence to override. Rubber-stamp review where the human always accepts the AI doesn’t satisfy Article 22.
Rely on an Article 22(2) exception. Three exist: (a) necessary for entering into or performance of a contract; (b) authorised by Union or Member State law with appropriate safeguards; (c) explicit consent. Most consumer-credit deployments rely on exception (a), automated credit decisions are arguably necessary for the credit-card application contract. National DPAs have varied on how strictly to interpret "necessary".
EU AI Act Article 14 + Article 26(2) human-oversight requirements effectively codify pattern (1) into the AI Act for any high-risk credit-scoring deployment, so meaningful human review is the safer path for Annex III(5)(b) systems.
GDPR Article 22(3) also requires safeguards including "at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision". This is the "right to challenge", the data subject can demand a human look at the decision. Operationally: every credit denial needs a documented appeal path.
EU Consumer Credit Directive (2023/2225) stacking
The recast Consumer Credit Directive (Directive (EU) 2023/2225) applies from 20 November 2026. Article 18 of the recast CCD addresses creditworthiness assessment specifically:
Article 18(1). Assessments must be based on relevant + accurate information about the consumer’s financial situation. Pure score-from-thin-data approaches risk falling below this bar.
Article 18(2). Profiling techniques are allowed but trigger transparency obligations to the consumer.
Article 18(6). The consumer has the right to obtain a clear explanation of the assessment, including the logic involved in any automated processing.
CCD obligations stack on top of the EU AI Act + GDPR Article 22, all three apply simultaneously for AI credit decisions to natural persons. The practical effect: a consumer turned down by an AI credit-scoring system has rights to explanation under all three regimes, and the lender has obligations under all three.
A single AI credit-scoring failure can trigger three parallel enforcement actions: EU AI Act Article 99(4) Tier 2 (EUR 15M / 3% turnover), GDPR Article 83 (EUR 20M / 4%), and CCD Article 24 penalties (vary by Member State). Authorities coordinate to avoid double counting but the legal exposure is real, and the lender must show compliance with all three regimes through documentation, not narrative.
Article 4 literacy for credit-decisioning staff
Article 4 obligations are live since 2 February 2025. For credit-decisioning teams, three tiers usually make sense:
Credit officers + underwriters (Tier 1 staff). AI fundamentals, recognise bias + disparate-impact patterns in AI output, understand when to override, document oversight decisions per Article 26(6), know the GDPR Article 22 challenge right.
Credit risk managers (Tier 2 manager). Risk classification, Article 26 deployer obligation operationalisation, Article 27 FRIA design, vendor evaluation under Article 13 + 53(b), CCD Article 18 explainability obligations.
Chief Risk Officer + Head of Credit (Tier 3 director). Article 4 personal-liability exposure, board sign-off on credit-scoring AI procurement, triple-stack penalty exposure (AI Act + GDPR + CCD), incident escalation through Article 73 + GDPR Article 33.
Alternative credit scoring + the Article 5 trap
AI that uses non-traditional signals to score creditworthiness (open banking transaction patterns, social-media behaviour, mobile phone usage patterns, alternative employment data) is still in Annex III(5)(b), the classification attaches to the use case, not the input data type. But alternative credit scoring carries an additional risk most teams underestimate: the Article 5(1)(c) social-scoring prohibition trap.
Article 5(1)(c) prohibits AI that classifies natural persons over time based on social behaviour, personal characteristics, or predicted personality traits, where the resulting score leads to detrimental treatment in social contexts unrelated to the data origin. An alternative-credit-scoring AI that uses general behaviour patterns to score creditworthiness can be argued to cross this line if:
The input signals are too general. Pure behavioural patterns unconnected to financial behaviour (social media usage, app habits, location patterns).
The resulting score affects unrelated domains. Used not just for credit but propagated into housing, employment, or insurance decisions.
The narrow path: alternative-credit-scoring AI is legal under Article 5 if (1) the input signals are reasonably connected to financial behaviour, and (2) the resulting score is used specifically for credit-related decisions, not general life-decision sorting. Several Member State DPAs have signalled they’ll scrutinise alternative-credit-scoring deployments closely against the Article 5(1)(c) line.
Tools for credit-scoring AI compliance
Sources
- Annex III(5)(b) credit-scoring high-risk on EUR-Lex
- Article 27 FRIA on EUR-Lex
- GDPR Article 22 automated decision-making on EUR-Lex
- EU Consumer Credit Directive (2023/2225)
- Article 5(1)(c) social-scoring prohibition on EUR-Lex
- Regulation (EU) 2024/1689 (consolidated)
Frequently asked questions
- Regulation (EU) 2024/1689 (the EU AI Act) on EUR-Lex ↗The full text of the EU AI Act on the EU's official legal portal. The source of every Article and Annex referenced in this post.
- Regulation (EU) 2016/679 (GDPR) on EUR-Lex ↗The General Data Protection Regulation. Article 22 (automated decision-making) and Article 33 (breach notification) interact directly with the EU AI Act.
- EDPB guidelines on automated decision-making (WP251rev.01) ↗The European Data Protection Board guidelines on GDPR Article 22. The practical interpretation reference for automated decisions affecting natural persons.
- Directive (EU) 2023/2225 (recast Consumer Credit Directive) ↗The recast Consumer Credit Directive, applying from November 2026. Article 18 governs creditworthiness assessment, including AI-driven scoring.
- European AI Office ↗The European Commission AI Office, the central enforcement body for GPAI obligations and coordination across national authorities.