The EU AI Act is the world's first comprehensive AI regulation, and financial institutions — including US banks with EU operations — face binding obligations now. This guide covers risk classification, prohibited AI practices, high-risk AI requirements for financial services, the 2026 compliance timeline, and how the EU AI Act intersects with DORA and US frameworks.
What Is the EU AI Act?
Regulation (EU) 2024/1689 entered into force in August 2024. It establishes a risk-based regulatory framework for AI systems placed on the EU market or used in the EU. Banks and financial institutions that deploy AI systems in EU-regulated activities are deployers and face direct compliance obligations. The Act uses a tiered risk classification — prohibited, high-risk, limited risk, and minimal risk — with obligations that scale with risk tier.
The Risk Dispatch — weekly briefing
Get weekly AI risk management and compliance intelligence for financial institutions. Free, no spam.
Subscribe free →Prohibited AI Practices Relevant to Financial Institutions
The EU AI Act prohibits certain AI practices outright. For banks, the most relevant are: social scoring systems that evaluate trustworthiness and lead to detrimental treatment unrelated to context (banks must review whether customer risk scoring could be construed as social scoring); AI systems that exploit vulnerabilities of specific groups to distort behaviour in harmful ways (relevant for AI-driven product sales and customer communications). These prohibitions apply from August 2, 2025.
High-Risk AI Classification: What Applies to Banks
Annex III designates specific AI application areas as high-risk. For financial institutions:
Credit scoring and creditworthiness assessment: AI systems used to evaluate creditworthiness or assist credit decisions are high-risk. This covers consumer credit models, SME lending models, mortgage affordability systems, and credit card limit models — both bespoke and third-party scoring systems deployed by the bank.
Employment and worker management AI: Relevant for banks using AI in HR processes — CV screening, performance scoring, workforce management.
Access to essential services: AML transaction monitoring and fraud detection systems may fall into this category depending on whether their outputs affect customers' ability to access banking services.
Compliance Obligations for High-Risk AI Systems
Deployers of high-risk AI systems must: conduct a fundamental rights impact assessment (FRIA) before deployment; implement a quality management system covering data governance, human oversight, and monitoring; ensure human oversight — a competent person must be able to understand, monitor, and override the AI system; maintain logs of the system's operation; conduct conformity assessments; register high-risk systems in the EU AI database; and report serious incidents to market surveillance authorities.
EU AI Act Compliance Timeline
Critical milestones: August 2, 2025 — prohibited AI practices banned; August 2025 — GPAI model obligations apply; August 2026 — full obligations for high-risk Annex III systems apply, including credit scoring and financial services AI. Banks have until August 2026 to achieve full compliance for high-risk systems — meaning the compliance programme must be operational now.
EU AI Act + DORA + US Frameworks
Banks with EU operations face overlapping obligations. DORA's ICT risk requirements apply to the infrastructure running AI systems. The EU AI Act adds governance, transparency, and human oversight requirements for the AI systems themselves. A bank with a DORA-compliant ICT risk framework has the monitoring and documentation infrastructure needed for EU AI Act compliance, but will need to add FRIA documentation and EU AI Act registration requirements. Against US frameworks, the EU AI Act's high-risk AI obligations overlap with SR 26-2's MRM principles. See our NIST AI RMF guide and 2026 AI regulatory landscape overview for the broader compliance picture.
Action Steps for Banks in 2026
Banks targeting August 2026 full compliance should: inventory all AI systems deployed in EU-regulated activities and classify by risk tier; conduct FRIAs for all high-risk systems; audit human oversight arrangements for credit scoring and AML models; review AI vendor contracts for EU AI Act compliance attestations; and designate an EU AI Act compliance owner. The August 2026 deadline is not soft — enforcement authority lies with national financial supervisory authorities already incorporating EU AI Act compliance into examination frameworks.