Your AI is named in Annex III.
August 2 is the deadline.
Credit scoring, automated lending, fraud and AML decisioning, KYC outcomes, and algorithmic trading. Each is high-risk or interacts with high-risk obligations under the EU AI Act. Your existing model risk framework documents the model. The Act asks about every decision the model produced.
Most financial-services CROs have done the model-risk work. The gap is not the model. The gap is the runtime audit trail of every individual decision the model made, and that gap is what a conformity assessor will ask for first.
The financial sector is the most heavily model-risk-managed industry on earth, which is both an advantage and a trap. The advantage: SR 11-7 in the US, similar frameworks globally, and decades of credit, capital, and trading model governance mean your second line is already mature. The trap: the discipline that grew up around models was built for static, documented, periodically validated systems used by trained humans. The AI Act asks a different question. Not "is the model sound?" but "for this customer's loan denial yesterday at 14:32, show me the policy that applied, the citation that supports it, the human oversight that occurred, and the route the customer has to contest the outcome."
That decision-level audit trail is the work that does not exist in most institutions today. It does not live in your MRM file. It does not live in your CRM. It lives nowhere, because nobody asked for it before. By August 2, 2026, the regulator will ask. This page is about closing that gap on a timeline that still works.
The five financial-services AI systems on the deadline
Credit Scoring & Creditworthiness
Named high-risk explicitly
Any AI evaluating creditworthiness of natural persons is high-risk. Includes consumer credit scoring, BNPL underwriting, and AI-enhanced traditional lending models. Conformity assessment, documentation, and human oversight measures all apply.
Automated Lending Decisions
High-risk by interaction
End-to-end automated lending pipelines that approve, deny, or price credit fall under the same provisions. The fact that a human signs off downstream does not remove the obligation if the decision was effectively determined by the model.
Fraud & AML Decisioning
High-risk where it gates services
Where AI-driven fraud or AML decisions block access to financial services for a natural person (account freeze, transaction reversal that affects credit, denial at onboarding), the AI Act high-risk obligations attach. Not all fraud detection qualifies; the ones that affect customer access do.
KYC Outcomes
High-risk where it gates onboarding
AI-driven KYC outcomes that determine whether a customer can open an account or receive a service trigger the same obligations. The intersection with GDPR Article 22 is significant; running both regimes off the same audit trail is the practical path.
Algorithmic Trading
Existing regime + AI Act layer
Algorithmic trading is governed by MiFID II separately, but where AI is used in the strategy layer the AI Act adds obligations on the underlying models. The smart institutions are unifying their MiFID II and AI Act evidence rather than running parallel programs.
What your MRM has, what the AI Act needs
Your existing model risk function covers most of the lifecycle. The gap is the per-decision runtime evidence the AI Act demands.
Model documentation, validation reports, and SR 11-7-grade governance evidence.
Per-decision records: inputs, the policy that applied, the citation that justifies it, the verdict, and the human-oversight evidence.
Periodic validation cycles and challenger model frameworks.
Continuous post-market monitoring of high-risk systems with documented response when drift is detected.
Adverse-action notices and consumer-protection workflows.
Operationalised data-subject rights: human review of automated decisions on demand, with the audit trail to support the review.
The realistic six-to-twelve week path
Readiness assessment
One week. We map every Annex III system in your stack, classify it against the obligations, and produce a remediation roadmap with owners and dates. The output is something your CRO and second line can both work from.
Remediation scoping
Your team reviews the roadmap, surfaces dependencies, and confirms the scope of the runtime layer. We work with your platform engineering, MRM, and compliance leads in parallel to keep the schedule honest.
Runtime layer integration
The realtime decision layer goes live in front of your high-risk systems. Each consequential decision is intercepted, evaluated against the policy library, and logged with the citation attached. We integrate with your existing model serving without changing the model itself.
Documentation packaging
The Annex IV technical documentation, the human-oversight evidence, and the conformity assessment package are assembled from the runtime data and your existing MRM evidence. Ready for assessor review.
Frequently asked questions
Which financial-services AI systems are high-risk under the EU AI Act?
Annex III names creditworthiness assessment of natural persons explicitly. In practice, that pulls in credit scoring, automated lending decisions, certain fraud and AML decisioning that affects access to financial services, and KYC outcomes that gate account openings. Algorithmic trading sits under MiFID II separately, but interacts with AI Act obligations on the same models.
My MRM framework already covers these models. Why do I need anything else?
Model risk management documents how the model was built and validated. The AI Act asks how each individual decision was governed: which policy applied, what citation supported it, who reviewed it, and how the customer can contest it. MRM evidence is necessary but not sufficient. The runtime audit trail is the gap.
What is the realistic timeline to be ready by August 2, 2026?
For an institution with five to fifteen Annex III systems already in production, the typical path is: one week of readiness assessment, two to three weeks of remediation scoping with your team, four to six weeks of runtime layer integration, and two weeks of documentation packaging. That fits inside a six-to-twelve week window if you start now.
What documentation does the conformity assessor actually want?
Five things. The risk management system documentation across the AI lifecycle. Data and data governance evidence. Technical documentation per Annex IV. Records of decisions including inputs, the policy that applied, and the verdict. And the human oversight measures with evidence they were actually exercised. Each on a per-system basis.
What are the fines, in numbers a CFO will care about?
Up to 35 million euros or 7 percent of worldwide annual turnover for prohibited-practice violations. Up to 15 million or 3 percent for non-compliance with most other obligations. For a 200 million euro revenue institution, the upper-bound exposure on a single high-risk-system finding lands between 6 and 14 million euros, plus the operational cost of the corrective action.
Run the Readiness Assessment.
One week. We map every Annex III system in your stack, quantify the fine exposure, and deliver the remediation roadmap your CRO can act on Monday morning.