Industry · Financial Services
Credit, fraud, KYC — all high-risk under Annex III.
Creditworthiness assessment, pricing, fraud scoring, and AML triage all fall under Annex III §5 (essential services) the moment they touch a natural person. We've done this with three top-50 European banks. Here's what works.
Annex III §5
Essential services
DORA
In effect
Operational resilience for ICT third parties — overlaps with Art. 15.
MiFID II
Algorithmic trading
Article 17 record-keeping aligns with AI Act Article 12.
EBA
ML guidance
EBA model-risk-management guidelines feed our risk register.
DPF
EU↔US flows
Most BFSI stacks have AWS or Snowflake in the loop; DPF + SCC tracked.
What we've seen work
Five plays for BFSI compliance teams.
Map every credit / KYC model to Annex III §5
Use the wizard to formally classify each model. Once it's HIGH_RISK in the register, gap auto-creation handles Articles 9-15 from there.
Tie EBA model-risk-mgmt to Article 9
Most BFSI teams already do quarterly model validation. Connect that cadence to Article 9 risk-review status — no duplicate work.
Bridge DORA + Article 15 robustness
DORA ICT-third-party register populates the Integration data-flow view. Article 15 cyber-resilience claims are evidenced by the same controls.
Article 73 incident clock for adverse model decisions
A high-impact denial pattern triggers the 72-hour Article 73 clock. The platform shows both the AI-Act clock and the GDPR Article 33 clock side-by-side.
FRIA when credit affects vulnerable consumers
Required for essential-services deployers. The FRIA template covers fundamental-rights nexus, vulnerable-cohort impact, and human-oversight controls.
Cross-border SCC + DPF tracking
AWS / Snowflake / Salesforce — each is on the data-flow register with transfer mechanism + TIA status visible to legal.
See it on your BFSI stack.
Bring one HIGH_RISK system and we'll classify it on the demo call. Most banks finish the call with a written gap list.