You already run fraud engines, AML screening and SCA. Almost none of it is high-risk under the AI Act. Here is the one system that is.
Check your exposure — freeThe systems a payment institution actually runs — fraud detection, transaction monitoring, AML screening, risk-based authentication, KYC verification — sit outside Annex III, and in the case of fraud detection they are excluded from it by name. If you are budgeting a high-risk conformity programme for your fraud engine, stop.
Read this the way the Act reads it: Annex III is a list of named use cases, not a judgement about how important a system is to your business. The most consequential model you run may well be the one the Act says nothing about.
| System | Under the AI Act | Why |
|---|---|---|
| Consumer credit scoring — BNPL, overdraft, instalment | High-risk High-risk — Annex III 5(b) | Evaluating the creditworthiness of a natural person is named outright. If you have moved into BNPL or any consumer lending, this is your high-risk system. |
| Fraud detection and transaction monitoring | Not high-risk Not high-risk | Annex III point 5(b) contains an explicit exception for AI systems used for the purpose of detecting financial fraud. This is the single most misclassified system in the sector. |
| AML screening, sanctions screening, PEP matching | Not high-risk Not high-risk | Not named anywhere in Annex III. Your AML obligations come from the AML framework, and they have not changed. |
| Risk-based authentication and SCA exemption scoring (PSD2 TRA) | Not high-risk Not high-risk | Not in Annex III. This is a PSD2 obligation with an RTS behind it; the AI Act adds nothing to it. |
| KYC identity verification — selfie / document match | Not high-risk Not high-risk | Annex III point 1 covers remote biometric identification (matching one face against a database). It expressly excludes biometric verification whose sole purpose is confirming that a person is who they claim to be — which is exactly what onboarding selfie-match does. |
| Customer chatbot or voice assistant | Applies Transparency — Art. 50 | Not high-risk, but you must tell the customer they are dealing with an AI. This applies from 2 August 2026, well before the high-risk regime. |
| CV screening, staff scheduling, employee monitoring | Applies High-risk — Annex III point 4 | This catches you as an employer, not as a payment institution. It is high-risk all the same, and HR usually procures it without telling compliance. |
You are already regulated three times over: PSD2 for authentication and fraud reporting, DORA for ICT risk and incidents since January 2025, and the AML framework for screening. The AI Act does not replace any of them and does not restate any of them.
What it adds is narrow. If you do consumer credit, it adds the whole of Chapter III to that one system. If you have a customer-facing bot, it adds Article 50. For everything else, it adds Article 4 — take measures to support the AI literacy of the people using these systems — and nothing more.
We describe the delta. The Act itself — all 113 articles, in 24 EU languages — lives on our sister site.
Start free: run the AI Act exposure check to classify a specific system, or read the cross-obligation table showing what the AI Act adds to a DORA programme. Already working on DORA? See DORA for Payment Institutions. Analytical guidance for compliance teams, not legal advice.
Take our free 5-minute assessment and get an instant DORA compliance score with personalised recommendations.