If your crypto exchange, neobank, lending platform, or payments business operates in the EU — or serves EU customers — the August 2, 2026 deadline for the EU AI Act's high-risk systems obligations is now 93 days away. And most compliance teams are still treating the AI Act like a future problem.
It's not. It's a now problem.
The AI Act was published in the Official Journal of the European Union on July 12, 2024, and entered into force on August 1, 2024. The prohibited practices chapter applied from February 2, 2025. The general-purpose AI (GPAI) model obligations applied from August 2, 2025. And the high-risk AI systems chapter — the one that captures most fintech and crypto AI use cases — applies from August 2, 2026.
Miss the deadline and the penalty framework is severe: up to €35M or 7% of worldwide annual turnover for prohibited practices, up to €15M or 3% of global turnover for most high-risk violations, and up to €7.5M or 1% of turnover for providing incorrect information to regulators.
For a mid-sized crypto exchange with €500M in annual global revenue, a 3% penalty is €15M. For a unicorn neobank at €2B, it's €60M. These aren't theoretical numbers — they're the ceiling the European Commission and national market surveillance authorities are empowered to impose, and the Commission has been explicit that enforcement will not be gentle.
This guide walks through what the AI Act actually requires of financial services operators, which of your AI systems are classified as high-risk, how the AI Act layers on top of your existing MiCA and AMLR compliance obligations, and what a realistic implementation plan looks like with less than 100 days on the clock.
1. What the AI Act Actually Covers (and Why It Applies to You)
The AI Act is regulation 2024/1689 — the first comprehensive horizontal legislation on artificial intelligence in any major jurisdiction. It applies extraterritorially, meaning it captures:
- Providers placing AI systems on the EU market, regardless of where the provider is established
- Deployers (users) of AI systems located in the EU
- Providers and deployers located outside the EU where the output of the AI system is used in the EU
That third prong is what catches most global crypto exchanges and fintechs. If your US-based trading platform uses an AI fraud detection model and the output is used to approve or reject transactions for EU customers, the AI Act applies to your use of that model — even if the model itself was trained and hosted outside the EU.
The Act divides AI systems into four risk tiers:
- Unacceptable Risk (Prohibited): Social scoring, manipulative subliminal techniques, emotion recognition in workplaces, real-time biometric identification in public spaces (with narrow exceptions). These have been prohibited since February 2, 2025.
- High Risk: AI systems listed in Annex III or used as safety components of regulated products. This is the category that captures most financial services AI. Compliance deadline: August 2, 2026.
- Limited Risk: Systems with specific transparency obligations — chatbots must disclose they're AI, deepfakes must be labeled. Deadline varies.
- Minimal Risk: Everything else. No specific AI Act obligations, but voluntary codes of conduct are encouraged.
The financial services sector sits primarily in the high-risk tier. Annex III explicitly names three use cases that map directly onto standard fintech and crypto operations.
2. The Three High-Risk AI Categories That Capture Financial Services
Annex III, point 5(b), of the AI Act classifies as high-risk:
"AI systems intended to be used to evaluate the creditworthiness of natural persons or establish their credit score, with the exception of AI systems used for the purpose of detecting financial fraud."
Annex III, point 5(c), classifies:
"AI systems intended to be used for risk assessment and pricing in relation to natural persons in the case of life and health insurance."
And Annex III, point 1, captures biometric identification and categorization systems — relevant for KYC/AML onboarding flows using biometric verification.
In practice, this means three categories of financial services AI are presumptively high-risk:
Credit Scoring and Creditworthiness Assessment
Any AI model that evaluates whether a natural person qualifies for a loan, a credit line, a buy-now-pay-later limit, a crypto margin facility, a credit card, or any other form of credit extension is in scope. This includes:
- Traditional credit scoring models used by lenders and neobanks
- BNPL underwriting models (Klarna, Affirm, and EU equivalents)
- Crypto-collateralized lending risk models (Aave, Compound, and centralized equivalents)
- Margin account approval models at crypto exchanges
- Dynamic credit limit adjustment models
- Merchant underwriting models for payment processors
The carve-out for fraud detection is narrow. A model that rejects a loan application because it thinks the applicant is committing fraud is fraud detection. A model that rejects the application because it thinks the applicant won't repay is creditworthiness assessment — and high-risk.
Fraud Detection (Selective)
The AI Act explicitly excludes "AI systems used for the purpose of detecting financial fraud" from the credit scoring high-risk category. But this exclusion has been the source of significant regulatory ambiguity. The European Commission has clarified that:
- Pure transaction-level fraud detection (flagging a stolen card transaction) is not high-risk
- AML transaction monitoring is generally not classified as high-risk under Annex III
- But fraud scoring that also influences creditworthiness decisions straddles the line
- And biometric fraud detection (face matching for account takeover prevention) may fall under Annex III point 1
Crypto exchanges should pay particular attention: the combination of chain analytics scoring, wallet risk scoring, and transaction monitoring often ends up influencing whether a customer can deposit, withdraw, or trade — which looks a lot like access control, which the AI Act treats differently.
Customer Profiling and Biometric Categorization
Annex III point 1 captures AI systems used for biometric categorization of natural persons based on sensitive attributes. KYC flows that use biometric verification (liveness detection, selfie matching against passport photo) are generally not high-risk when used solely for identity verification. But if the biometric system categorizes customers into risk groups, segments them by demographic characteristics, or feeds into pricing or access decisions, the high-risk classification can apply.
Practically: a liveness check that confirms "this is a real human matching the passport" is not high-risk. A facial analysis system that estimates age, ethnicity, or emotion and uses that to drive any downstream decision almost certainly is.
3. What High-Risk Classification Actually Requires
If any of your AI systems are classified as high-risk, Chapter III of the AI Act imposes nine substantive obligations that must be in place by August 2, 2026:
| # | Obligation | Article | What It Means for Fintech |
|---|---|---|---|
| 1 | Risk Management System | Art. 9 | Continuous lifecycle risk management — identification, estimation, evaluation, mitigation of foreseeable risks, with attention to health, safety, and fundamental rights |
| 2 | Data and Data Governance | Art. 10 | Training, validation, and testing datasets must be relevant, representative, free of errors. Examine for biases affecting protected groups |
| 3 | Technical Documentation | Art. 11 / Annex IV | 15 sub-items of documentation: system description, development process, monitoring metrics, performance metrics, risk management info |
| 4 | Record-Keeping / Logging | Art. 12 | Automatic event logging over system lifetime. Logs must enable risk identification, modification tracking, and operation monitoring |
| 5 | Transparency to Deployers | Art. 13 | Instructions for use: characteristics, capabilities, limitations, foreseeable misuse, human oversight measures, computational requirements |
| 6 | Human Oversight | Art. 14 | Designed for human review of material decisions. Not rubber-stamp — genuine human-in-the-loop or human-on-the-loop mechanism |
| 7 | Accuracy, Robustness, Cybersecurity | Art. 15 | Appropriate levels of accuracy and robustness throughout lifecycle. Resilient against adversarial attacks. Metrics declared in instructions |
| 8 | Quality Management System | Art. 17 | Covers compliance strategy, design/development procedures, testing, data management, post-market monitoring, incident reporting, regulatory comms |
| 9 | Conformity Assessment & CE Marking | Art. 43, 48 | Documented internal conformity assessment. CE marking. Public registration in the EU database of high-risk AI systems |
That last point is the one most fintech teams underestimate. Registering in the EU database is a public act. Every high-risk AI system you deploy becomes publicly visible to regulators, competitors, journalists, and civil society groups. That's by design — the AI Act is built around transparency as an enforcement mechanism.
4. The Provider vs. Deployer Distinction
The AI Act draws a critical distinction that most fintech teams handle poorly: the difference between a "provider" and a "deployer" of an AI system.
Provider: The entity that develops an AI system or has it developed and places it on the market or puts it into service under its own name. Providers bear the bulk of the Chapter III obligations.
Deployer: A natural or legal person using an AI system under its authority. Deployers have a narrower set of obligations (primarily around human oversight, monitoring, and logging).
If you build your credit scoring model in-house, you're both the provider and the deployer. Full Chapter III obligations apply.
If you license a credit scoring model from a third-party vendor (FICO, Experian, Zest AI, and EU equivalents), you're typically the deployer. The vendor is the provider. But:
- If you substantially modify the model, you become a provider
- If you use a general-purpose model (e.g., a foundation model from OpenAI, Anthropic, Mistral) and fine-tune it for credit scoring, you almost certainly become a provider of a high-risk AI system
- If you brand a third-party model as your own, you're a provider
Crypto exchanges using external chain analytics vendors (Chainalysis, Elliptic, TRM Labs) for wallet risk scoring need to map carefully who is the provider and who is the deployer. If the vendor's scoring output is being used by your system to make access decisions about EU customers, your deployment of that output has obligations even if the underlying model was built elsewhere.
5. How the AI Act Interacts with MiCA, AMLR, and DORA
The AI Act doesn't replace sector-specific regulation — it layers on top. For EU-active crypto and fintech businesses, the August 2, 2026 deadline falls in the middle of a compliance pile-up:
| Regulation | Deadline | Overlap with AI Act |
|---|---|---|
| MiCA (grandfathering) | July 1, 2026 | AI-driven ops risk + AI Act high-risk obligations on same systems |
| EU AI Act (high-risk) | August 2, 2026 | Credit scoring, biometric KYC, fraud detection — all in scope |
| AMLR / AMLD6 (transposition) | July 10, 2026+ | AI-powered AML monitoring — dual regime obligations |
| DORA (ICT resilience) | Already applying (Jan 17, 2025) | AI systems are ICT assets — separate incident reporting regimes |
| GDPR | Ongoing | Article 22 automated decision-making + AI Act human oversight |
| CSRD | Staggered through 2028 | AI governance reporting may be required in sustainability disclosures |
AI Act × MiCA
MiCA imposes operational resilience, governance, and risk management requirements on CASPs (crypto-asset service providers). Your AI-driven transaction monitoring system is simultaneously subject to MiCA operational risk requirements (Article 68) and AI Act high-risk system obligations. The risk management systems required by both must be compatible — not duplicative, not contradictory.
AI Act × AMLR
The new EU AML Package requires CASPs to implement enhanced customer due diligence, transaction monitoring, and suspicious activity reporting. Where those obligations are discharged through AI systems, both regimes apply. AMLA (the new EU AML authority) and the national market surveillance authorities under the AI Act will have overlapping oversight.
AI Act × DORA
DORA imposes ICT risk management, incident reporting, and digital operational resilience testing on financial entities. Your high-risk AI systems are ICT assets under DORA and high-risk systems under the AI Act. The incident reporting regimes are separate — you may have to report a single operational failure under both.
AI Act × GDPR
Every AI system that processes personal data is also subject to GDPR. The AI Act's data governance obligations don't replace GDPR obligations — they layer on top. In particular, Article 22 GDPR rights (automated decision-making) continue to apply, and the AI Act's human oversight obligations must be implemented in a way that's compatible with the Article 22 right to contest.
The teams that get this wrong typically implement AI Act compliance as a standalone program, then discover their MiCA ops risk framework contradicts their AI Act risk management system, or that their DORA incident playbook doesn't trigger AI Act incident reporting, or that their GDPR DPIAs don't capture the high-risk AI system dimensions. The right approach is an integrated compliance framework with the AI Act slotted in as one regulatory overlay alongside MiCA, AMLR, DORA, and GDPR.
6. A 93-Day Implementation Plan
With the August 2, 2026 deadline now 93 days out, most fintech and crypto teams need to move faster than they're currently moving. A realistic implementation plan breaks into four phases.
Phase 1: AI System Inventory (Days 1–14)
You can't comply with the AI Act until you know which AI systems you have. The inventory must capture:
- System name, purpose, and business owner
- Provider or deployer status
- Input data types (personal data, non-personal data, sensitive categories)
- Output and downstream use
- Initial risk tier classification (prohibited, high, limited, minimal)
- Relevant Annex III category (if high-risk)
- Third-party components and their providers
Most mid-sized fintechs discover 20–40 AI systems in this phase. Most crypto exchanges discover 10–25. Nearly everyone finds systems they forgot existed — legacy fraud models, abandoned ML pipelines still running in production, vendor-provided scoring APIs embedded in customer-facing flows.
Phase 2: High-Risk Classification and Gap Analysis (Days 15–30)
For each system flagged as potentially high-risk, conduct a formal classification assessment and map it against the Chapter III obligations. The output should be a gap matrix: for each high-risk system, what obligations are already met, what needs remediation, and what needs to be built from scratch.
Phase 3: Remediation (Days 31–75)
Build or update the nine substantive obligation areas: risk management system, data governance, technical documentation, logging, transparency, human oversight, accuracy/robustness/cybersecurity, quality management system, conformity assessment. For systems where remediation is impossible by August 2, 2026, the options are: withdraw the system from EU use, replace with a compliant alternative, or accept enforcement exposure.
Phase 4: Conformity Assessment and Registration (Days 76–93)
Complete the conformity assessment for each high-risk system, affix CE marking where required, and register the system in the EU database. Registration is the last step but it's not a rubber stamp — it requires the technical documentation to be complete and the internal conformity assessment to be defensible.
Track EU AI Act implementation deadlines and guidance — delegated acts, standards, and AI Office decisions monitored automatically.
Start free trial →7. The Tooling Angle — Why Manual Monitoring Won't Scale
The AI Act creates a permanent regulatory monitoring obligation that doesn't end on August 2, 2026. Post-market monitoring (Article 72) requires providers to systematically collect, document, and analyze data on the performance of high-risk AI systems throughout their lifecycle. Serious incident reporting (Article 73) requires notification to national authorities within specific timeframes. And the Commission, the AI Board, and national authorities will continue to issue guidance, implementing acts, and technical standards that refine the obligations.
For a financial services business operating across EU member states, monitoring AI Act developments manually means tracking:
- The European Commission's DG CNECT publications
- The AI Office (established within DG CNECT)
- The AI Board and its subgroups
- European standardization organizations (CEN, CENELEC, ETSI) developing harmonized standards
- 27 national market surveillance authorities
- 27 national competent authorities under sectoral regulation (MiCA, AMLR, DORA) where they overlap with AI oversight
- The European Data Protection Board where GDPR and AI Act intersect
- National data protection authorities in each member state
Add the UK (which is developing its own AI regulatory approach independent of the AI Act) and the US (SR 11-7, proposed federal AI legislation, state-level laws like Colorado AI Act, NYC Local Law 144), and the total monitoring footprint for a global fintech is well over 100 sources publishing AI-relevant guidance continuously.
Spreadsheets don't scale to this. Google Alerts don't scale. Even a dedicated regulatory analyst can't scale — the volume of publications exceeds individual human bandwidth. This is the category of problem that AI-powered regulatory intelligence platforms exist to solve.
RegPulse monitors 950+ regulatory sources across crypto, fintech, and AI-adjacent financial services — including all the AI Act-relevant bodies listed above, plus the national implementing authorities and sector regulators where AI Act obligations intersect with MiCA, AMLR, and DORA. Updates are classified by relevance, linked to the sector-specific frameworks they interact with, and delivered to compliance teams in the form and frequency they specify. The goal isn't to replace compliance judgment — it's to ensure compliance teams have the full regulatory picture before judgment is applied.
For teams building their AI Act compliance program now, the tooling question isn't whether to automate monitoring. It's whether to automate before August 2, 2026 or after the first enforcement wave.
8. Penalty Framework and Enforcement Reality
The AI Act's penalty framework is structured in three tiers:
| Violation Type | Maximum Penalty | Example in Fintech |
|---|---|---|
| Prohibited practices (Art. 5) | €35M or 7% of global turnover | Social scoring of customers, emotion recognition in contact centres |
| High-risk non-compliance (Arts. 8–22) | €15M or 3% of global turnover | Deploying credit scoring model without conformity assessment or documentation |
| Incorrect information to regulators | €7.5M or 1% of global turnover | Incomplete EU database registration, inaccurate technical documentation |
For SMEs and startups, the penalties apply at the lower of the absolute amount or percentage — not the higher. For larger entities, it's the higher.
Enforcement is delegated to national market surveillance authorities in each member state. The European Commission has direct enforcement authority for general-purpose AI model providers. Coordination is handled through the AI Board.
The enforcement question most teams care about is: will authorities actually impose maximum penalties, or will early enforcement be educational? The early indicators suggest a tiered approach: genuine attempts at compliance that fall short of technical perfection will likely be met with remediation orders before fines. Clear failures to engage with the framework — no AI inventory, no risk assessment, no documentation — will be met with significant penalties.
GDPR's enforcement trajectory is the closest analog. Year one (2018) was mostly remediation and small fines. Year three and beyond included €746M (Amazon), €405M (Meta), €390M (Meta), €345M (TikTok). The AI Act will likely follow a similar curve, with the difference that the technical complexity of AI systems means enforcement actions may take longer to develop but will be harder to defend against once initiated.
FAQ
Does the EU AI Act apply to my US-based crypto exchange if I serve EU customers?
Yes, if the output of your AI system is used in the EU. The AI Act has explicit extraterritorial reach covering providers and deployers located outside the EU where the AI system's output is used within the Union. A US-based exchange using AI fraud detection on EU customer transactions falls within scope of the deployment obligations, and potentially the provider obligations if the exchange developed the model in-house.
What is the exact deadline for high-risk AI systems compliance?
August 2, 2026. The AI Act entered into force on August 1, 2024, with staggered application dates. Prohibited practices applied from February 2, 2025. GPAI model obligations applied from August 2, 2025. High-risk AI systems obligations (Chapter III) apply from August 2, 2026. Most financial services AI falls in this tier.
Are AML transaction monitoring systems classified as high-risk under the AI Act?
Generally no, but the answer is nuanced. Annex III does not explicitly list AML transaction monitoring. The fraud detection carve-out in point 5(b) generally covers AML monitoring. However, if the same system influences credit decisions, account access, or is based on biometric categorization, high-risk classification can apply. Crypto exchanges should map their AML monitoring outputs carefully to downstream uses.
What penalties apply for violating the AI Act's high-risk system obligations?
Up to €15 million or 3% of worldwide annual turnover, whichever is higher for larger companies. For SMEs and startups, the lower of the two applies. Prohibited practices carry higher penalties (up to €35M or 7% of turnover), and providing incorrect information to regulators carries lower penalties (up to €7.5M or 1% of turnover).
Does the AI Act replace GDPR for AI systems?
No. The AI Act layers on top of GDPR. Every AI system processing personal data remains subject to GDPR's full requirements, including Article 22 rights relating to automated decision-making. The AI Act's data governance obligations (Article 10) and human oversight obligations (Article 14) must be implemented in ways compatible with GDPR, not in substitution for them.
How does the AI Act interact with MiCA for crypto-asset service providers?
The two regimes overlap and must be coordinated. MiCA's operational resilience and risk management requirements (Articles 68 and following) apply to CASP operations including AI-driven systems. The AI Act's high-risk system obligations apply to AI systems used in credit scoring, biometric categorization, and similar use cases. Compliance teams should build an integrated framework where AI Act obligations slot alongside MiCA obligations rather than being treated as independent compliance programs.
What counts as a "substantial modification" that turns a deployer into a provider?
A substantial modification is a change that alters the intended purpose of the AI system or affects its compliance with the requirements of Chapter III. Fine-tuning a general-purpose model for a specific high-risk use case almost always constitutes substantial modification. Re-training on proprietary data for a different purpose than the original vendor specified typically does. Parameter tuning within the vendor's specified operating range typically does not.
Track EU AI Act developments automatically
RegPulse monitors AI Office publications, delegated acts, harmonised standards development, and national implementation — delivering alerts relevant to financial services AI compliance as they happen.
Start free trial →