Reflections on the FinTech Sector from the Perspective of the EU AI Act

The European Union has enacted the first regulation establishing a comprehensive legal framework worldwide in response to the rapid proliferation of artificial intelligence technologies. The European Union Artificial Intelligence Regulation (“AI Act”), published on 13 June 2024 and entered into force on 1 August 2024, adopts a risk-based approach and imposes binding obligations on all actors developing, placing on the market, and using artificial intelligence systems.

The financial services sector constitutes one of the areas where artificial intelligence is most intensively utilized. The use of artificial intelligence in credit scoring, insurance risk assessment, anti-money laundering, fraud detection, and automated decision-making mechanisms is rapidly increasing. The AI Act classifies a significant portion of these applications as “high-risk,” and the fundamental requirements pertaining to high-risk artificial intelligence systems are envisaged to fully enter into force on 2 August 2026. This briefing note addresses the key obligations of the AI Act concerning the FinTech sector from both a legal and market conditions perspective.

Risk Classification and Financial Services

The AI Act classifies artificial intelligence systems according to a four-tiered risk hierarchy: unacceptable risk (prohibited practices), high risk, limited risk, and minimal risk. This classification is determined within the framework of Article 6 of the AI Act and the provisions of Annex III.

Section 5 of Annex III, titled “Access to and enjoyment of essential private services and essential public services,” defines two application areas directly relevant to the financial services sector as high-risk. The first pertains to artificial intelligence systems used to evaluate the creditworthiness of natural persons or to establish their credit score; however, systems designed for the detection of financial fraud are excluded from this scope. The second concerns artificial intelligence systems used for risk assessment and pricing in relation to natural persons in the context of life and health insurance. It should be particularly noted that artificial intelligence systems that perform profiling of natural persons are considered high-risk under all circumstances and cannot benefit from the exemption provision set forth in Article 6(3).

Key Obligations Regarding High-Risk AI Systems

The AI Act imposes comprehensive obligations on providers developing high-risk AI systems and on deployers utilizing them.

First and foremost, a continuous risk management system must be established and operated throughout the entire lifecycle of high-risk artificial intelligence systems. The regular assessment of risks related to algorithmic fairness, data quality, and model performance by a FinTech company engaged in credit scoring constitutes a concrete reflection of this obligation.

In terms of data governance, training, validation, and testing datasets are required to be relevant, sufficiently representative, and as error-free as possible for their intended purpose. The AI Act envisages the examination of potential biases and the establishment of a documented mitigation strategy. Where necessary for bias elimination, the limited processing of sensitive personal data is also permitted. This provision constitutes a critical area of intersection with the General Data Protection Regulation (“GDPR”).

Providers are also obligated to prepare a comprehensive technical documentation file as specified in Annex IV. Details regarding system architecture, training data characteristics, model development methodology, bias assessment, and human oversight mechanisms must be included in this file. It is also mandatory that high-risk artificial intelligence systems be designed to automatically record events.

In terms of transparency and human oversight, particularly in credit and insurance decisions, it must be possible for artificial intelligence outputs to be supervised by a human and overridden when necessary. Beyond this, organizations deploying high-risk artificial intelligence systems that perform credit scoring and insurance risk assessment are required to conduct a Fundamental Rights Impact Assessment (“FRIA”) before using the system for the first time. While an internal control-based conformity assessment may generally be conducted for high-risk systems in financial services, the results are subject to the supervision of market surveillance authorities and registration in the European Union (“EU”) database is mandatory.

Implementation Timeline and Sanctions

The AI Act envisages a phased implementation timeline. As of 2 February 2025, restrictions on prohibited artificial intelligence practices and AI literacy obligations have entered into force. On 2 August 2025, governance provisions and obligations concerning general-purpose artificial intelligence models commenced. On 2 August 2026, which is the most critical date for the FinTech sector, all obligations pertaining to high-risk artificial intelligence systems under Annex III – including credit scoring and insurance – will fully enter into force. While the Digital Omnibus proposal submitted by the European Commission on 19 November 2025 contains provisions that may affect these dates, it is recommended that institutions prepare according to the current timeline.

The AI Act envisages graduated and deterrent sanctions according to the type of infringement. In the event of non-compliance with prohibited artificial intelligence practices, administrative fines of up to EUR 35 million or up to seven percent of total worldwide annual turnover may be imposed; for non-compliance with high-risk artificial intelligence obligations, up to EUR 15 million or up to three percent; and for the provision of incorrect or incomplete information to competent authorities, up to EUR 7.5 million or up to one percent. For SMEs and start-ups, fines may be set at lower levels in accordance with the principle of proportionality. Where the same act also constitutes an infringement under GDPR or the Digital Operational Resilience Act (“DORA”) in conjunction with the AI Act, only the higher fine shall apply pursuant to the prohibition of double jeopardy.

Market Conditions and Sectoral Assessment

The year 2026 represents a critical turning point in the EU’s digital regulatory ecosystem. Regulations such as DORA and GDPR, alongside the AI Act, create simultaneous compliance requirements. This regulatory density presents both challenges and opportunities for FinTech companies. Organizations that achieve early compliance will gain a significant competitive advantage in accessing the European market. The transparency, auditability, and human oversight requirements envisaged by the AI Act should be regarded not merely as a compliance cost but as a strategic investment that enhances consumer trust.

The extraterritorial effect of the Regulation should also be particularly emphasized. Regardless of the country in which they are headquartered, artificial intelligence systems that provide services within EU borders or affect EU citizens are subject to this regulation. This matter is of direct significance for FinTech companies providing services from Türkiye to the EU market. Moreover, regulatory initiatives modeled on the AI Act are accelerating in Brazil, Canada, and numerous US states. Similar to how the GDPR has set global data protection standards, the AI Act is expected to become a global reference framework in the field of artificial intelligence.

Conclusion and Recommendations

The EU Artificial Intelligence Regulation is a globally definitive regulation that transforms AI governance from voluntary guidance into binding legal obligation. The FinTech sector, particularly in the areas of credit scoring and insurance risk assessment, will face comprehensive compliance obligations starting from August 2026.

In this framework, it is recommended that FinTech companies inventory all existing and planned artificial intelligence systems and classify them according to risk categories, prepare comprehensive risk assessments and technical documentation for each high-risk system, address AI Act, GDPR, and DORA obligations under an integrated compliance framework, and establish continuous monitoring mechanisms. It is of great importance that regulatory requirements be regarded not merely as a cost item but as a strategic advantage of building a reliable and auditable artificial intelligence infrastructure.