Annex III of Regulation (EU) 2024/1689 explicitly classifies AI used for evaluating creditworthiness of natural persons and for credit scoring as high-risk; banks therefore acquire the Article 8 to 27 obligations on documentation, risk management, data governance, human oversight and post-market monitoring on top of existing prudential model supervision (Annex III point 5(b), EUR-Lex).
For EU significant institutions the European Central Bank, acting through the Single Supervisory Mechanism, is the prudential supervisor; the European Banking Authority issues binding technical standards and guidelines that bear on model governance and ICT risk. The two tracks run in parallel, with national competent authorities completing the picture once member states designate AI Act enforcement bodies (ECB Banking Supervision; EBA).
The biggest practical issue: a bank's credit scoring or fraud detection system is now simultaneously a high-risk AI system under the EU AI Act, a model under SR 11-7 for any US footprint, and a model under PRA SS1/23 in the UK (effective 17 May 2024). Each regime expects its own validation, documentation and oversight artefacts. Firms that reconcile the artefacts pay once; firms that do not pay three times.
Every AI system used in credit decisioning, including vendor-supplied scoring engines and embedded analytics inside core banking platforms, must sit in the firm's register with named owner, declared purpose, training and inference data sources, and a link to the relevant model risk record.
Credit, fraud, AML triage and HR systems are classified individually against Annex III; staff-facing productivity assistants are typically limited risk under Article 50. Each system carries a written, defensible classification rationale signed off by the second line.
A lifecycle risk management system, covering identification, estimation and mitigation through the full model lifecycle, aligned to existing first-line ownership and second-line model risk processes. Do not stand up a parallel AI risk function alongside MRM; integrate.
Annex IV documentation maps with high overlap to SR 11-7 model development and validation documentation. Treat the AI Act technical file as a superset view over the existing model documentation pack rather than a new artefact, and feed both regimes from one source.
Automatic event logging and a post-market monitoring plan integrated with the bank's existing operational risk event capture and production model monitoring. Reuse the observability stack; do not build a second telemetry pipeline for the AI Act alone.
Named human reviewers with documented decision rights, override capability and escalation paths. For credit decisions the credit officer retains final approval and the authority to reject the model output; oversight is real, recorded and auditable, not a checkbox on a screen.
Hosted LLM use in customer-facing chat or internal copilots triggers Article 50 transparency disclosures to users. Most GPAI provider obligations sit with the model vendor under Articles 51 to 55; the bank carries the deployer obligations tied to the use case.
Direct prudential supervisor of significant EU institutions under the Single Supervisory Mechanism; AI risk falls inside its existing model risk and ICT risk oversight.
Issues binding technical standards and guidelines including on ICT and security risk management, internal governance and model governance applicable to AI systems.
EU AI Act enforcement against deployers and providers sits with member state designated market surveillance and notifying authorities once national implementing rules are in place.
For UK banks, SS1/23 model risk management principles took effect on 17 May 2024 and apply to models including AI; supervision runs through normal PRA channels.
For US banks and US branches of foreign banks, SR 11-7 (2011) is the prevailing supervisory standard on model risk management and applies to AI models used in covered activities.
The EU AI Act phases obligations between 1 August 2024 (entry into force), 2 February 2025 (Article 5 prohibited practices and AI literacy duties), 2 August 2025 (GPAI and governance provisions) and 2 August 2026 (most high-risk obligations including Annex III credit systems). Banks should plan inventory and classification work to land well inside the 2026 window (EUR-Lex, Regulation (EU) 2024/1689).
For EU significant institutions the practical day-to-day supervisor on AI-related model and ICT risk will be the ECB Joint Supervisory Team, working alongside national AI Act competent authorities once designated. The split between prudential supervision and AI Act market surveillance is a live issue that the EBA and national authorities are working through (ECB Banking Supervision).
In the UK, the Financial Conduct Authority and the Bank of England published a joint discussion paper on AI in financial services (DP5/22, 2022) and a feedback statement in 2023; both regulators have been clear they intend to apply existing rules, including SS1/23 for model risk, rather than introduce a single AI rulebook (FCA / BoE joint approach).
| Adjacent rule | How it interacts |
|---|---|
| SR 11-7 (US Fed, OCC) | Documentation overlap is high: Annex IV technical documentation maps cleanly to SR 11-7 development and validation expectations. Validation overlap is substantial, with SR 11-7 setting a stricter bar on effective challenge, reproducibility of the evaluation harness and ongoing monitoring evidence. |
| PRA SS1/23 (Bank of England) | The five SS1/23 principles on governance, identification, development, validation and use align tightly with EU AI Act risk management and human oversight obligations. UK firms with EU exposure can run one operating model, not two, by mapping artefacts to both regimes at design time. |
| Capital Requirements Regulation and Directive (CRR / CRD) | IRB credit risk models under the Basel framework already carry Article 143 CRR governance and validation duties. AI models used for credit scoring inherit both the prudential IRB regime and the EU AI Act high-risk regime, so the validation evidence must satisfy both. |
| EBA Guidelines on ICT and security risk management | AI systems are ICT systems. Logging, change management, access control and operational resilience expectations under the EBA guidelines and DORA carry over directly to AI Act Article 12 logging and Article 15 robustness, reducing duplicated control build. |
| AMLD and the EU AML package | AML transaction monitoring AI is itself a model under SR 11-7 or SS1/23. AMLD obligations on detection effectiveness and the EU AI Act obligations on transparency sit side-by-side, and both demand explainability of alert generation to the satisfaction of the MLRO. |
“The leverage point is not 'comply with the EU AI Act', it is 'have one artefact set that satisfies the AI Act, SR 11-7 and SS1/23 at once'. The firms that get this right run a single second line, not three.”
Yes if the bank places an AI system on the EU market, puts one into service in the EU, or the output of the system is used in the EU. Article 2 extraterritorial scope.
No, but it covers a large share of Annex IV. Reconcile the existing model documentation pack to Annex IV gaps rather than duplicating; the remaining items are tractable inside a normal MRM cycle.
Disclose AI use under Article 50 to affected users. The GPAI provider obligations under Articles 51 to 55 sit with the model vendor; the bank remains a deployer with use-case obligations.
Phased: in force from 1 August 2024, Article 5 prohibitions and AI literacy from 2 February 2025, GPAI and governance from 2 August 2025, most high-risk obligations including Annex III credit systems from 2 August 2026.
A fixed-fee engagement of 8 to 16 weeks covers inventory, classification, remediation plan and audit pack; the artefact set reconciles EU AI Act, SR 11-7 and SS1/23 obligations into one second-line operating model.
The EU AI Act classifies bank credit scoring and several fraud, AML triage and HR systems as high-risk under Annex III, adding Articles 8 to 27 duties on inventory, risk management, documentation, logging, human oversight and post-market monitoring. The ECB SSM and EBA hold the prudential line in the EU, with national AI Act authorities completing the picture. The practical play is to reconcile Annex IV documentation with SR 11-7 and PRA SS1/23 (effective 17 May 2024), so one artefact set satisfies all three regimes ahead of the 2 August 2026 high-risk deadline.