EU AI Act: Credit Scoring (Annex III, 5) — Obligations + ECJ SCHUFA

April 27, 2026· Category: EU AI Act · Reading time: 3 min · As of 2026-05-02

Practitioner note: This is not legal advice. For specific situations, consult a qualified attorney or compliance officer.

TL;DR

Annex III, 5 classifies AI for creditworthiness assessment as high-risk
ECJ C-634/21 SCHUFA (Dec 2023): credit scoring constitutes automated decision-making under Art. 22 GDPR when banks rely on it substantially
Affected: banks, fintechs, credit-card companies, BNPL providers, savings banks
Fines: up to 35M EUR / 7% global revenue (Art. 99 EU AI Act) plus separate GDPR fines
Full applicability: Aug 2, 2026 legally binding (Digital Omnibus proposal of Nov 19, 2025: postponement to Dec 2, 2027 — trilogue ongoing, NOT adopted)

1. ECJ C-634/21 SCHUFA (Dec 2023)

The European Court of Justice ruled that credit scoring qualifies as an "automated individual decision" under Art. 22 GDPR when banks base their decisions essentially on the score. Consequence: meaningful human review is mandatory before rejection.

2. Annex III, 5 EU AI Act

High-risk classification for "AI systems intended to be used to evaluate the creditworthiness of natural persons or establish their credit score." Excludes AI for detecting financial fraud.

3. Obligations from Aug 2, 2026 (Digital Omnibus proposal of Nov 19, 2025: postponement to Dec 2, 2027 — trilogue ongoing, NOT adopted)

Conformity assessment (Art. 43), FRIA (Art. 27), logging (Art. 12), human oversight (Art. 14), accuracy and robustness (Art. 15), risk management system (Art. 9), and data governance (Art. 10). Plus transparency to customers (Art. 13).

4. Mandatory bias testing

Art. 10 EU AI Act requires training data free of bias against protected groups. Document statistical fairness tests (e.g., demographic parity, equalized odds) and corrective actions. Retain records for at least five years.

5. Human final decision

An AI score alone may not justify rejection. Human oversight is mandatory: a credit officer must review and decide, particularly on adverse outcomes. Tie this to your Art. 22 GDPR safeguards.

6. Transparency for applicants

On rejection: provide reasons and access to the underlying data (Art. 15 GDPR + Art. 50 EU AI Act). Plain-language explanation of the main factors driving the score is now expected by supervisors.

Summary

Credit-scoring AI sits in a triple-overlap: Annex III high-risk, GDPR Art. 22 automated decision-making, and the SCHUFA ruling's mandatory human review. Banks and fintechs should run FRIA, document bias tests, and integrate a clear human-in-the-loop step before any rejection by Aug 2, 2026 (Digital Omnibus proposal of Nov 19, 2025: postponement to Dec 2, 2027 — trilogue ongoing, NOT adopted).

View EU AI Act Kit →

Frequently Asked Questions

Who is affected?

Banks, fintechs, savings banks, credit card companies, BNPL providers.

Fines?

Art. 99 EU AI Act up to EUR 35 million / 7%. Plus GDPR fines.

Sources

Regulation (EU) 2024/1689 — EU AI Act (Annex III(5), Art. 27 FRIA, Art. 99) (As of: 2026-05-02)
EU AI Act Annex III — high-risk areas (As of: 2026-05-02)
CJEU C-634/21 — SCHUFA (Art. 22 GDPR automated decision-making) (As of: 2026-05-02)
Commission Digital Omnibus (proposal, 19 Nov 2025) — trilogue ongoing (As of: 2026-05-02)

Tools & self-assessments

EU AI Act Quick Test Classifies your AI system by risk level (Art. 6, Annex III). Fining Calculator Estimate the potential fine exposure for your organisation. EU AI Act Self-Assessment Classification plus obligations mapping for all AI systems in the organisation. AI Inventory Quick Check Systematic capture of your AI applications in 8 steps.