AI Act & Credit Scoring: What You Must Do Before August 2026

The Countdown Has Begun

August 2, 2026 — that's 4 months away. On that day, credit scoring officially becomes a high-risk AI system under EU Regulation 2024/1689. The penalties? Up to EUR 15 million or 3% of global revenue. Plus a temporary ban on deployment.

:::alert **Credit scoring is explicitly listed in Annex III of EU Regulation 2024/1689 as a high-risk AI system.** Fines up to EUR 15M or 3% of global revenue. No gray zone — it's binary: compliant or non-compliant. :::

What the AI Act Actually Says About Scoring

Two different roles, two different responsibilities:

**Provider** = you create or sell the scoring engine (e.g., RocketFin, Coface, Creditsafe) **Deployer** = you use it in your decision-making process (e.g., fintech, broker, insurer)

Both must be compliant. And here's the critical part: **if you use a third-party scoring tool, you're the deployer. You're responsible for its compliance in your usage context.**

:::takeaway **Key Takeaway** — If you use a third-party scoring tool, you're the deployer. You're responsible for its compliance in your usage context. Demand AI Act documentation from your provider. :::

5 Concrete Obligations for Your Scoring Engine

① Traceability — every decision archived and auditable

Every score generated must be recorded with: - Exact timestamp (seconds) - Input data used - Model output - Human decision that follows

**What's missing in 80% of current engines**: a structured audit trail retained for minimum 5 years. Many providers generate scores but trace nothing.

② XAI Explainability — the model justifies every score variable by variable

For each score, you must answer: "Why this score?" No black boxes. The 5 contributing variables, model weights, applied thresholds — everything must be explained.

**What's missing in 80% of cases**: providers give a score (0-100) without explaining why. By August 2026, that's non-compliant.

③ Human Oversight — documented process for borderline case review

A score is a recommendation. A decision is a human act. The AI Act requires human review, especially for borderline cases (e.g., score 55-65/100).

**What's missing in 90% of processes**: human oversight is documented but not systematized. No defined process for borderline cases.

④ Technical Documentation — complete dossier kept up-to-date

You must maintain technical documentation including: - Model architecture (data, variables, weights) - Robustness testing (adversarial testing, bias analysis) - GDPR compliance documentation - Logs of all model updates

**What's missing**: few providers maintain this dynamically. It's static — or nonexistent.

⑤ Registration — EU database of high-risk AI systems (NFRA)

From August 2026, high-risk AI systems must be registered in the EU's NFRA database. It's a public registry.

**Implication**: your credit scoring engine will be publicly registered. No anonymity.

What the AI Act Changes for Your 4 Data Sources

① Open Banking — consent must be documented and traced

When you access a client's banking flows via PSD2, every access must be recorded with timestamp and explicit consent.

**Concrete obligation**: audit trail of every API call, with proof of consent archived.

② OCR Financial Statements — every extraction must generate a timestamped log

When a client uploads their financial statement and you analyze it via OCR, every extraction must generate an auditable timestamped log.

**Concrete obligation**: every document processed = one entry in the audit trail, with timestamp and OCR algorithm version.

③ Legal Data — verifiable and archivable provenance

Public records data, business registries: their provenance must be traced and archivable. You must prove where data comes from.

**Concrete obligation**: source documentation, collection timestamp, API version used.

④ Final Score — mandatory explainability report per decision

:::insight **Insight** — A black-box scoring engine that gives a score without explanation will be non-compliant by August 2, 2026. No exception for third-party solutions. No "we don't know how the model decides" — that's unacceptable. :::

8-Point Audit Checklist

Before August 2026, audit your infrastructure:

- [ ] **Traceability**: Does your engine trace every decision with timestamp? - [ ] **Explainability**: Can you explain every score variable by variable? - [ ] **Human Review**: Do you have a documented process for borderline case review? - [ ] **AI Act Provider**: Is your scoring provider AI Act compliant (documentation + attestation)? - [ ] **Retention**: Are your logs kept for minimum 5 years? - [ ] **Documentation**: Do you have up-to-date technical documentation (model, variables, tests)? - [ ] **Open Banking Consent**: Is open banking consent documented and traced? - [ ] **OCR Audit Trail**: Does OCR generate an audit trail per document processed?

If you check fewer than 6 boxes, you have work to do.

The Real Risk: Not Acting Before August

Two possible scenarios:

**Scenario 1 — You have an AI Act compliant engine now**: - Zero effort required by August - Competitive advantage vs. large players not ready - You can market this compliance as a differentiator - Immediate ROI

**Scenario 2 — Your engine isn't compliant**: - Minimum migration: 3-4 months - You must start now (May 2026) - Risk of service interruption between August 2026 and your update - Migration costs + potential penalties if non-compliance detected

:::insight **Kévin Buisson's Take** — Players who integrate AI Act compliance now don't suffer it — they make it a commercial argument against large players not ready. By August 2026, AI Act compliance won't be a differentiator — it'll be table stakes. :::

Conclusion

August 2026 isn't far away. It's 4 months. Compliant credit scoring won't be a differentiator anymore — it'll be the minimum requirement.

If your current provider can't show you their AI Act documentation and audit trail, it's time to ask questions. Or change providers.