Question 1

Which banking AI systems are high-risk under the AI Act?

Accepted Answer

Annex III of EU Regulation 2024/1689 classifies as high-risk, among others: (1) creditworthiness assessment and credit scoring systems for natural persons, except when used exclusively for financial fraud detection (Annex III point 5.b); (2) systems used in pricing and underwriting life and health insurance (Annex III point 5.c). Transactional fraud detection and KYC/AML systems do not fall as high-risk if they are ancillary to regulatory compliance.

Question 2

What obligations apply to a bank with a high-risk system?

Accepted Answer

For high-risk systems, the AI Act requires: a quality management system (Art. 17), complete technical documentation (Art. 11 + Annex IV), data governance and dataset management (Art. 10), transparency and provision of information to users (Art. 13), meaningful human oversight (Art. 14), accuracy and robustness (Art. 15), automatic event logging (Art. 12), EU declaration of conformity (Art. 47), CE marking (Art. 48) and registration in the EU database (Art. 49). Entities must also maintain a fundamental rights impact assessment (Art. 27) and notify serious incidents (Art. 73).

Question 3

When does each obligation enter into force?

Accepted Answer

The AI Act has staggered enforcement: February 2025 (Chapter II prohibitions and AI literacy obligation), August 2025 (obligations for general-purpose AI models / GPAI and institutional organization), August 2026 (full applicability for Annex III high-risk systems — includes credit scoring and actuarial pricing), and August 2027 (applicability for high-risk systems embedded in Annex I products under harmonized legislation).

Question 4

How do the AI Act, ISO 42001 and DORA relate?

Accepted Answer

ISO/IEC 42001 is the operational standard that grounds many AI Act obligations on quality management systems (Art. 17). DORA provides the digital operational resilience framework and requires critical technology — including AI — to be under documented governance. A banking entity with ISO 27001 + ISO 42001 + a mature DORA program covers most AI Act obligations with limited additional evidence. Vermont Solutions designs this triple alignment in real projects.

Question 5

What are the penalties?

Accepted Answer

The AI Act sets three penalty tiers: up to EUR 35 M or 7% of global annual turnover (whichever is higher) for Article 5 prohibitions; up to EUR 15 M or 3% for non-compliance with high-risk and GPAI obligations; up to EUR 7.5 M or 1% for supplying incorrect information to authorities. The penalties are in addition to any imposed by the financial supervisor for DORA non-compliance or sectoral regulation.

Use case	Classification	Reference
Credit scoring for natural persons	High-risk	Annex III, 5.b
Life/health actuarial pricing	High-risk	Annex III, 5.c
Transactional fraud detection	Not high-risk if ancillary	Recital 58 + Annex III 5.b exception
Automated KYC / AML	Not high-risk if ancillary	Regulatory compliance
Internal generative assistants	Transparency (Art. 50) if user interacts with AI	Chapter IV
Market risk models (FRTB IMA)	Not high-risk under AI Act, yes under BCBS d457	Prudential risk

EU AI Act in banking — what it covers and 2025-2027 enforcement

Application timeline

Banking use cases and classification

Obligations for high-risk systems

Official sources