Financial Services · Annex III §5(b)

AI Act readiness for lenders and credit firms.

If your firm uses AI to assess creditworthiness, score credit, or automate lending decisions, you're operating under Annex III §5(b) of the EU AI Act. cosantio gives credit unions, retail credit firms, and lenders the workflow, artefacts, and named officer to be audit-defensible in time. Examples here are drawn from the Irish market we know best, but the obligations apply to lenders across the EU, with some country-specific variation.

Get the Lending Scorecard →Book a 20-minute call

What governs AI in financial services

Four pieces of regulation. One workflow.

Lending AI in Ireland and the EU is regulated by more than the AI Act. The four frameworks below overlap. cosantio's Scorecard maps your firm against all four at once.

01From 2027

EU AI Act, Annex III §5(b)

Source: Regulation (EU) 2024/1689

Classifies AI used to evaluate creditworthiness or establish a credit score for natural persons as high-risk, with an explicit carve-out for fraud detection. Triggers obligations on technical documentation, data governance, human oversight, FRIA, EU registration, and post-market monitoring.

High-risk regime applies02 Dec 2027

02Guidance

EBA mapping & CRD/CRR overlay

Source: EBA · November 2025

The EBA's mapping of AI Act implications for the banking sector finds that most obligations sit on top of, not replace, existing CRD/CRR internal governance and model-risk management, but only where those frameworks are documented to AI Act standards.

Overlaps withCRD · CRR · MRM

03In force

Revised Consumer Protection Code

Source: Central Bank of Ireland · 24 Mar 2026

Raises expectations on automated decision-making, vulnerable-customer treatment, and customer outcomes. Now applies to all 172 regulated credit-union activities for the first time, sitting alongside the AI Act, not instead of it.

Applies toAll regulated FS firms

04In force

CBI supervision & DORA

Source: SI 366/2025 · DORA

The Central Bank of Ireland is the market surveillance authority for AI used by regulated financial firms. AI models in credit decisioning are ICT assets under DORA, and decision owners carry fitness-and-probity accountability.

ThemesMSA · DORA · F&P

Who's in scope

Credit unions, lenders, and credit firms. Different obligations.

The AI Act treats your firm differently based on whether you develop the AI or use it. That distinction (provider vs deployer) shapes which Article 16 or Article 26 obligations apply, and a vendor model run under your own name can pull you into both.

Typically Deployer

Credit unions.

Member-owned lenders using AI-assisted loan decisioning, affordability, or member analytics. Acting as deployer under Article 26 means a lighter but still substantive set of obligations, alongside the revised Consumer Protection Code.

Key obligation

Human oversight, member transparency, use according to instructions, and a FRIA where Article 27 applies.

Deployer, often Provider

Retail credit firms.

Consumer lenders, moneylenders, point-of-sale and BNPL providers running credit-scoring and affordability AI. Use a vendor model under your own brand, or fine-tune one, and Article 25 can reclassify you as a provider with full Article 16 obligations.

Key obligation

Resolve the vendor-versus-provider question first, then the FRIA and §5(b) classification for each credit model.

Both roles

Banks building in-house.

Challenger banks and credit institutions that are often both providers (in-house credit and underwriting models) and deployers (third-party tools). Both obligation sets apply, per AI system, on top of CRD/CRR internal governance.

Key obligation

Per-system classification. One register, multiple roles, the AI Act mapped onto existing model-risk management.

Article 25 caveat. Modifying a third-party AI system substantially (including changes to its intended purpose) reclassifies the deployer as a provider. A lender that fine-tunes a third-party credit model on its own book is almost certainly a provider, not a deployer. The Scorecard surfaces this where it applies to your firm.

In-scope AI systems

The systems lenders actually run.

Real systems we see across Irish and EU lenders. Classifications and obligations below are illustrative; your firm's classification depends on the specific use, not the product name.

System type

Typical use

Classification

Primary obligation

Credit scoring & creditworthinesse.g. loan and card underwriting

Algorithmic or ML-based assessment of whether to lend, at what limit, and on what terms. The headline §5(b) use case.

High-risk

Art. 27FRIA required before deployment

Affordability & automated lendinge.g. consumer lending, BNPL decisioning

Automated affordability checks and accept, decline, or refer decisions on credit applications. Affects access to credit materially.

High-risk

Art. 14Human oversight by a qualified officer

Adverse-action & decline explanatione.g. reason codes for refusals

Explaining to a declined applicant why credit was refused. A standing regulator concern around bias and financial exclusion.

High-risk

Art. 86Right to explanation for affected persons

Fraud & AML monitoringe.g. transaction monitoring, AML screening

AI used to detect financial fraud is carved out of the §5(b) high-risk category. Not Annex III high-risk, but DORA and AML obligations still apply.

Carve-out

DORAICT and AML controls, not Annex IV

Member & customer chate.g. support chatbots, query routing

Customer-facing AI for support, FAQs, and routing. Not a credit decision, but a customer interaction that must be disclosed.

Limited-risk

Art. 50Customer disclosure of AI use

Sample lending dossier

What an audit-defensible lending file looks like.

Excerpt from a sample Annex IV technical dossier for a credit-scoring engine. Every finding cites firm-specific evidence; every gap names an owner and a date.

Technical Report · Annex IV (EU) 2024/1689

EU AI Act Conformity · Credit Scoring

Deployer: Sample Credit UnionSector: Financial Services · Credit union

CSC-2026-0419Issued 13 May 2026

System

CreditScore Pro (v3.2)

Intended purpose

Consumer credit-scoring engine for an Irish retail lender

Hardware

AWS EC2 · EU-west-1

Oversight

Loan officer in the loop · mandatory manual review for declines

01Risk ManagementArt. 9 · 3 questions

Is there a documented risk management system covering the full lifecycle?

Compliant

Cited evidence

Risk Management Framework v2.4 (Q1 2026) covers design, deployment, and post-market phases. Reviewed quarterly by the Risk Committee, chaired by the COO.

Is there a process for post-market risk monitoring?

Action required

Remediation plan

By end of Q3 2026, stand up a monthly data-drift and fairness monitor with alerting to the Compliance Officer. Owner: A. Murphy (Head of Risk). Mapped onto existing CRD model-risk monitoring.

03Data & Data GovernanceArt. 10 · 4 questions

Are training and input datasets tested for bias across protected groups?

Compliant

Cited evidence

Quarterly disparate-impact testing on approval rates by age, gender, and geography. Reviewed by the Credit Risk Committee; last run Q1 2026 with no material disparity flagged.

Is data provenance documented for every feature in the model?

Action required

Remediation plan

By end of Q2 2026, complete the feature-lineage register for all 38 model inputs, flagging any alternative-data sources for an Article 5 social-scoring review. Owner: D. Byrne (Data Lead).

+ 9 more pillars in the full platform dossier · 25 questions across Annex IV

What you'll get

Start with the Scorecard. Go deeper in a demo.

The Scorecard is the same eight questions for every sector, but the result is sector-specific. Lenders get §5(b) classification, the Article 25 provider check, and a CRD/CPC overlay layered on top of the core readiness assessment.

Recommended start

Fast Scorecard.

Free · 3 minutes · no login

Eight plain-English questions. A regulator-grade PDF that scores your firm against every AI Act obligation in scope, with lending-specific framing throughout.

Classification under §5(b), with FRIA trigger flag
The Article 25 vendor-versus-provider check
Status on Article 4, 5, 50, and 11 obligations
Prioritised action plan with weeks-to-readiness estimate

~3 min · PDF in 5Start the Scorecard →

Deep dossier

Deep Dossier.

Demo · 20 minutes · with our team

The full Annex IV workflow inside the platform: 25 questions across 11 pillars per AI system, producing a regulator-grade technical dossier for the Central Bank, an auditor, or your board. Book a demo to walk through a sample and the lending-specific features.

Annex IV-shaped technical dossier per system
Cited evidence and remediation plans per finding
Sample credit-scoring pillar map (CreditScore Pro reference)
Signed cover sheet for board and regulator use

~20 min · live walkthroughBook a demo →

Common questions

Things lenders ask us first.

Yes, where AI assists lending. The AI Act applies to anyone who places on the market, puts into service, or uses an AI system in EU scope. A credit union using AI-assisted loan decisioning or affordability scoring is a deployer under Article 26, and the underlying use sits in Annex III §5(b).

It also lands at the same time as the revised Consumer Protection Code, which from March 2026 applies to all 172 regulated credit-union activities for the first time. The two overlap heavily on automated decisions and vulnerable-customer treatment, which is why most firms run them as one workstream.

The vendor is responsible for the system's design, technical documentation, and conformity assessment. You are still responsible for how the system is used.

Article 26 deployer obligations sit with your firm regardless of vendor compliance. If you modify the system substantially, or put it into service under your own name, Article 25 can reclassify you as a provider with the full Article 16 obligation set.

A common example: a lender that fine-tunes a third-party credit model on its own book is almost certainly a provider. Resolving this is the first thing the Scorecard checks.

Generally not as high-risk. Annex III §5(b) classifies creditworthiness and credit-scoring AI as high-risk, but it explicitly excludes AI used to detect financial fraud, which is widely read to cover transaction monitoring and AML screening.

That does not make it unregulated. Fraud and AML AI still carries obligations under DORA, the AML framework, GDPR, and the Article 50 transparency rules. It simply is not Annex IV high-risk on the creditworthiness ground.

The trap is the hybrid system. If one model both scores creditworthiness and screens for fraud, the creditworthiness part is high-risk, and the carve-out does not rescue the whole system.

The standalone high-risk regime applies from 2 December 2027 under the Digital Omnibus VII agreement reached in May 2026. That agreement is provisional, pending formal adoption and publication, expected before August 2026. For high-risk AI embedded in regulated products, the deadline extends to 2 August 2028.

Several obligations are already in force: Article 4 (AI literacy) and Article 5 (prohibited practices) since February 2025, plus the penalty regime. Article 50 transparency obligations apply from 2 August 2026. The 2027 date is when you need to be audit-defensible on Annex IV; none of the in-force obligations are deferred.

Eighteen months sounds like a lot. For a firm building its first technical dossier, it isn't.

Financial Services · §5(b)

Find out where your lending stands.

Eight questions. Three minutes. A regulator-grade PDF with §5(b) classification, the Article 25 provider check, and a prioritised action plan for your firm.

Get the Lending Scorecard →Or book a 20-minute call