GPAI in Finance: You Call an API. Does That Make You a Provider?
No. And the fact that this question keeps coming up — usually from a general counsel who has read Articles 53 to 55 and gone pale — tells you how badly the general-purpose AI chapter is understood in financial services. Here is the actual test, and the number that decides it.
Consuming a model is not providing one
The GPAI obligations in Chapter V attach to whoever places a general-purpose AI model on the market. That is OpenAI, Anthropic, Google, Mistral, Meta. It is not the bank that sends them prompts over an API.
Those obligations have been in force since 2 August 2025 — they are not a future deadline — and they consist of technical documentation, information for downstream providers, a copyright policy, and a public summary of training data. If a model crosses the 1025 FLOPs systemic-risk presumption in Article 51, its provider must add model evaluation, adversarial testing and incident reporting to the Commission. None of that is your problem when you are the customer.
The one that is genuinely unclear: fine-tuning
This is where the real question lives. The AI Act says a general-purpose model can be modified into a new model, but it never says at what point the modifier becomes a provider of the result. Fine-tuning is not a binary — a light LoRA adapter and a full continued-pretraining run are both "fine-tuning", and they are separated by four orders of magnitude of compute.
The Commission answered this in its GPAI guidelines of 18 July 2025, with an indicative criterion:
A downstream modifier is considered the provider of the modified model when the training compute used for the modification exceeds one third of the training compute of the original model — or, where the original figure is not known, one third of 1023 FLOPs.
Read that number against what a bank actually does. Fine-tuning a frontier model with LoRA or adapters, on an internal corpus, costs a rounding error of the base model's training compute. It is not close to a third. It is not close to a hundredth of a third.
So the honest answer for almost every financial institution is: no, your fine-tuning does not make you a GPAI provider. Not "probably not, seek advice" — there is a published threshold and you are nowhere near it. What you should do is know your number, because "we fine-tune models" in a board pack is not an answer, and a compute figure is.
Where it does bite
Two scenarios put a financial institution on the wrong side of the line, and neither is exotic.
You train your own model from scratch. Some larger institutions do, on their own transaction data. If it is general-purpose in its capabilities and you place it on the market — including within a group, in some readings — you are a provider, with the full Chapter V file. The systemic-risk threshold is unlikely to be in play, but the baseline obligations are.
You do continued pre-training, not fine-tuning. The distinction is compute, not vocabulary. Teams describe both as "fine-tuning". If your ML platform team is spending real money on GPUs against a base model, get the number before you assume the classification.
Do not let GPAI distract you from the thing that actually applies
Here is the part most institutions get backwards. They spend weeks on whether they are a GPAI provider — they are not — and then deploy an API-backed model inside a credit decision, which makes them a deployer of a high-risk AI system under Annex III, with a real and heavy obligation set. That is Chapter III, not Chapter V, and it is where the exposure is.
| What you do | Are you a GPAI provider? | What actually applies |
|---|---|---|
| Call GPT / Claude / Gemini over an API | No | Art. 50 transparency if it faces customers; Annex III if it feeds a credit or insurance decision |
| Fine-tune with LoRA / adapters on internal data | No — nowhere near the 1/3 threshold | Same as above |
| Continued pre-training at scale | Possibly — get the compute figure | Chapter V, plus whatever the use case triggers |
| Train and release a general-purpose model | Yes | Art. 53-55 in full; Art. 51 if above 1025 FLOPs |
The free AI Act exposure check separates these paths explicitly — it will not tell you that you are a GPAI provider for fine-tuning, because you almost certainly are not, and a tool that scares you into the wrong chapter has cost you more than it saved. The AI Act hub for financial institutions maps the whole picture against your existing DORA programme.
The full GPAI rules are on our sister site: the GPAI guide, and Article 51 on the systemic-risk classification.
This article is analytical guidance for compliance and legal teams, not legal advice. References: EU AI Act (Regulation (EU) 2024/1689), the Digital Omnibus on AI (Council green light, 29 June 2026), DORA (Regulation (EU) 2022/2554), and the Commission guidelines on GPAI of 18 July 2025.