AI Act · PSD2 sector

The EU AI Act for Payment & E-Money Institutions

You already run fraud engines, AML screening and SCA. Almost none of it is high-risk under the AI Act. Here is the one system that is.

Check your exposure — free

Most of your AI is not high-risk

The systems a payment institution actually runs — fraud detection, transaction monitoring, AML screening, risk-based authentication, KYC verification — sit outside Annex III, and in the case of fraud detection they are excluded from it by name. If you are budgeting a high-risk conformity programme for your fraud engine, stop.

Your AI systems, classified

Read this the way the Act reads it: Annex III is a list of named use cases, not a judgement about how important a system is to your business. The most consequential model you run may well be the one the Act says nothing about.

SystemUnder the AI ActWhy
Consumer credit scoring — BNPL, overdraft, instalment High-risk High-risk — Annex III 5(b) Evaluating the creditworthiness of a natural person is named outright. If you have moved into BNPL or any consumer lending, this is your high-risk system.
Fraud detection and transaction monitoring Not high-risk Not high-risk Annex III point 5(b) contains an explicit exception for AI systems used for the purpose of detecting financial fraud. This is the single most misclassified system in the sector.
AML screening, sanctions screening, PEP matching Not high-risk Not high-risk Not named anywhere in Annex III. Your AML obligations come from the AML framework, and they have not changed.
Risk-based authentication and SCA exemption scoring (PSD2 TRA) Not high-risk Not high-risk Not in Annex III. This is a PSD2 obligation with an RTS behind it; the AI Act adds nothing to it.
KYC identity verification — selfie / document match Not high-risk Not high-risk Annex III point 1 covers remote biometric identification (matching one face against a database). It expressly excludes biometric verification whose sole purpose is confirming that a person is who they claim to be — which is exactly what onboarding selfie-match does.
Customer chatbot or voice assistant Applies Transparency — Art. 50 Not high-risk, but you must tell the customer they are dealing with an AI. This applies from 2 August 2026, well before the high-risk regime.
CV screening, staff scheduling, employee monitoring Applies High-risk — Annex III point 4 This catches you as an employer, not as a payment institution. It is high-risk all the same, and HR usually procures it without telling compliance.

How it sits on the regime you already carry

You are already regulated three times over: PSD2 for authentication and fraud reporting, DORA for ICT risk and incidents since January 2025, and the AML framework for screening. The AI Act does not replace any of them and does not restate any of them.

What it adds is narrow. If you do consumer credit, it adds the whole of Chapter III to that one system. If you have a customer-facing bot, it adds Article 50. For everything else, it adds Article 4 — take measures to support the AI literacy of the people using these systems — and nothing more.

Read the text

We describe the delta. The Act itself — all 113 articles, in 24 EU languages — lives on our sister site.

Frequently asked questions

Is our fraud detection engine high-risk under the AI Act?
No. Annex III point 5(b) covers creditworthiness evaluation and credit scoring, but it contains an explicit exception for AI systems used for the purpose of detecting financial fraud. Fraud detection and transaction monitoring are therefore not high-risk by nature. The exception is narrow, though: if the same model also feeds a credit decision, it comes back into scope through 5(b) proper.
Does our KYC selfie check make us a deployer of a high-risk biometric system?
No, provided it is one-to-one verification. Annex III point 1 covers remote biometric identification, meaning matching a face against a reference database. It expressly excludes AI systems used for biometric verification whose sole purpose is to confirm that a specific person is the person they claim to be. Onboarding selfie-match against the document the customer just uploaded is verification, not identification.
We offer buy-now-pay-later. Does that change things?
Yes, and it is the change that matters. BNPL involves evaluating the creditworthiness of natural persons, which Annex III point 5(b) names as high-risk. That system attracts the full Chapter III obligation set: risk management, data governance, technical documentation, logging, human oversight, and registration in the EU database. The deadline is 2 December 2027 after the Digital Omnibus deferral.
We buy our scoring model. Are we the deployer?
Only if you use it as delivered. Under Article 25 you become its provider — with conformity assessment, CE marking and EU database registration — if you put your name on it, substantially modify it, or change its intended purpose. Fine-tuning a bought scoring model on your own portfolio is a substantial modification, and it is exactly what most institutions do.
When is our first AI Act deadline?
If you run a customer-facing chatbot: 2 August 2026, for the Article 50 transparency duties. That date was not touched by the Digital Omnibus. The high-risk regime for Annex III systems runs to 2 December 2027.

Start free: run the AI Act exposure check to classify a specific system, or read the cross-obligation table showing what the AI Act adds to a DORA programme. Already working on DORA? See DORA for Payment Institutions. Analytical guidance for compliance teams, not legal advice.

How Compliant Is Your Institution?

Take our free 5-minute assessment and get an instant DORA compliance score with personalised recommendations.

Get Your Free DORA Score Join Free Monthly Webinar