Trigger: an AI system may influence credit, pricing, fraud, or eligibility outcomes.

Financial AI · Annex III 5(b) · DORA

Make financial AI reviewable
before it prices a person.

Creditworthiness AI is named high-risk in Annex III. Fraud, AML, claims, and pricing models decide access to money. Currents scans them, Ripples record drift, subgroup performance, and lineage, Droplets clear one book of business at a time.

Annex III 5(b) · GDPR Art. 22 · DORADrift and subgroup evidenceMeaningful explanation, not a scoreNo regulatory sign-off claimed
Retail Credit Scorecard v7 (GBM)Cleared with Limits
Art. 6(2) routeAnnex III(5)(b) creditworthiness — fraud models excluded
Art. 10 bias examArt. 10(2)(f) proxy test: postcode, device fingerprint, income band
Reject inferenceDeclined applicants never observed — structural blind spot
GDPR Art. 22Human intervention on refusal · CCD (EU) 2023/2225
Art. 15(1)(h) logicReason codes disclosed — not the raw weights
Annex III(5)(b)GDPR Art. 22CCD 2023/2225DORA

Evidence Records on file

Art. 10(2)(f) proxy test
Art. 15 drift vs threshold
Art. 15(1)(h) reason codes
DORA exit & substitutability
ALP-CREDIT-V7-2026Cleared with Limits

Sensitive context

Why financial AI is classified high-risk, and what that costs in evidence.

Creditworthiness assessment and credit scoring are named in Annex III point 5(b) of the EU AI Act. Classification follows Art. 6 and the function of the system, not the vendor's description of it. That brings a risk management system (Art. 9), data governance including examination for bias (Art. 10), automatic logging (Art. 12), human oversight (Art. 14), and accuracy and robustness that must hold in production (Art. 15). GDPR Art. 22 restricts decisions based solely on automated processing with legal or similarly significant effect, and Art. 15(1)(h) entitles the data subject to meaningful information about the logic involved — a score is not an explanation. The recast Consumer Credit Directive requires the creditworthiness assessment to be explained and preserves a right to human intervention. DORA treats the model provider as an ICT third party: it belongs on the register of information, with substitutability and an exit path. Insurance, fraud, and AML models inherit most of these expectations by analogy and almost none of them by default.

Data categories in scope

Transaction, account, and arrears history
Bureau data, credit files, and affordability inputs
Application data: income, employment, tenure, postcode
Device, behavioural, and channel telemetry
Claims history and insurance medical evidence
Model outputs — scores, limits, fraud flags — which are themselves personal data

People affected

Credit, mortgage, and insurance applicantsThin-file, migrant, and first-generation applicantsCustomers in arrears, forbearance, or financial difficultyFraud-flagged and de-banked individualsSmall businesses with no bureau historyGroups under-represented in the accepted-applicant sample

Risk scenarios

What typically goes wrong.

Specific failure modes seen in this sensitive context — without structured evidence.

A credit model excludes protected attributes and is declared fair on that basis.

Proxy discrimination is untested. Postcode, device, and income correlates reconstruct the excluded attribute. Art. 10(2)(f) requires examination for bias, not exclusion of a column. No disparity measurement exists to show the regulator either way.

An adverse credit decision is explained to the customer with a score and a reason code.

GDPR Art. 15(1)(h) and the Consumer Credit Directive expect meaningful information about the logic and a route to human intervention. No per-decision attribution is retained, so the explanation cannot be reconstructed months later at complaint stage.

A fraud API vendor upgrades the model behind the same endpoint with no notification.

Drift is undetected and the change is unregistered under DORA third-party risk. False-positive rates shift on one customer segment. The evidence approved at onboarding describes a system that has since been replaced.

Credit decision lineage cannot be reconstructed for a supervisory review.

No Art. 12 log tying input, feature values, model version, and threshold to the recorded outcome. Past decisions are unreproducible. The firm cannot show what the applicant was actually assessed against.

A customer-service copilot with tool access can raise limits and release holds.

No human oversight gate and no tool-call log. Art. 22 is engaged by an output that is effectively automated, and the human in the loop cannot see enough to overrule it. Oversight is nominal.

A claims model is retrained quarterly; the fairness audit is annual.

For three quarters of the year the disparity evidence describes a superseded model. Nothing is monitored between audits, so drift and disparity emerge and resolve without ever appearing in the file.

Border control, applied here

Scan the system. Issue the passport. Grant the visa.

What the scan finds in this context, what the passport records, and what conditions the visa attaches.

01

Currents

the scan

What AI is running, and what do we not know about it?

Currents opens the file. It finds every model that touches a money decision, tests whether Annex III 5(b) actually applies, identifies which endpoints are third-party under DORA and which of those are unpinned, and lists the decisions that cannot be reconstructed today because no Art. 12 log ties input, feature values, model version, and threshold to the outcome recorded.

02

Ripples

the passport

What is this system, and what is proven about it?

The Ripple is the evidence passport. It records the training population and its reject-inference blind spot, the bias examination under Art. 10(2)(f) including proxy testing, subgroup performance and drift against the declared operating point under Art. 15, per-decision attribution sufficient for Art. 15(1)(h) and the Consumer Credit Directive, the Art. 22 analysis, and the DORA third-party position of every model provider in the path.

03

Droplets

the visa

May it operate HERE, on THIS data, under WHAT conditions?

The Droplet is the context visa. It clears the model for one book of business: this segment, this threshold, this pinned version, with a human intervention route on every adverse outcome, disparity and drift thresholds that revoke the clearance on breach, and an expiry that forces the fairness evidence to be refreshed rather than aged.

Scope

What needs a Ripple.

Credit scoring and creditworthiness models — Annex III 5(b)
Affordability, pricing, and limit-setting models
Fraud detection and anomaly scoring systems
AML and transaction monitoring models
Insurance claims triage and underwriting models
Customer-facing copilots with account-affecting tool access
Collections, forbearance, and vulnerability-detection AI

Stakeholder workflow

From trigger to access decision.

1

Scan

Art. 6 route · Annex III test

2

Evidence call

Annex IV · Art. 10 bias file

3

Seal Review

DPO · CISO · Art. 14 owner

4

Droplet

Conditions bound · expiring

5

Re-scan

On retrain, drift or model swap

Chief Risk Officer

A credit or fraud model is in production with no drift monitoring and no proxy testing.

Require the Ripple before the next retrain: drift against the declared operating point, bias examination under Art. 10(2)(f), and per-decision attribution.

DPO

A model produces an outcome with legal or similarly significant effect for a customer.

Require the Art. 22 analysis, the legal basis per data category, and evidence that the human reviewer can actually overrule the output.

Compliance Lead

Adverse decisions are explained with a score and a reason code.

Require per-decision attribution retained at decision time, and a human intervention route the customer can reach — Art. 15(1)(h) and the Consumer Credit Directive.

Access decisions

Context Droplet conditions.

The access decisions that apply in this sensitive context — and the evidence conditions that produce them.

Cleared with Limits
  • Drift monitored continuously against the declared operating point
  • Bias examination current, including proxy testing under Art. 10(2)(f)
  • Per-decision attribution retained for every adverse outcome
  • Human intervention route documented and reachable by the customer
Human Review Required
  • Output has legal or similarly significant effect — Art. 22 engaged
  • Reviewer sees the attribution, not only the score, and can overrule
  • Subgroup disparity above threshold pending remediation
  • Complaint or supervisory query open against the model
Review Needed
  • Model retrained since the last fairness evidence was produced
  • Proxy-discrimination testing absent — exclusion of attributes treated as sufficient
  • Model provider not registered as an ICT third party under DORA
  • Decision lineage incomplete — past outcomes unreproducible
Blocked
  • No explanation available for a decision affecting an individual customer
  • Measured disparity above threshold with no remediation plan
  • Unpinned third-party endpoint deciding customer outcomes
  • Agent tool-calls that change accounts with no Art. 12 log line

Measurement

Evidence families we can structure.

The measurable evidence categories relevant to this context and the evidence signals they produce.

Performance & Drift (Art. 15)

Accuracy, precision, recall, AUC and calibration with confidence intervals, tracked continuously against the declared operating point — data drift, concept drift, and threshold movement after every retrain.

Fairness, Proxy & Adverse Impact (Art. 10(2)(f))

Demographic parity, equalised odds, and disparate impact across segments — plus proxy testing that shows what postcode, device, and income correlates reconstruct after protected attributes are dropped.

Explainability & Adverse Action (GDPR Art. 15(1)(h))

Per-decision attribution retained at decision time, sufficient to give the customer meaningful information about the logic and to support the Consumer Credit Directive right to an explanation and human intervention.

Decision Lineage & Logging (Art. 12)

Input, feature values, model version, threshold, and recorded outcome bound together and reconstructable years later — for supervisory review, ombudsman complaint, and litigation.

Human Oversight & Art. 22 Analysis

Whether the decision is solely automated, whether the reviewer sees enough to overrule, and whether they ever do — override rates, not override rights.

Privacy & Data Governance

Legal basis for each data category, special-category data in claims and vulnerability models, DPIA status, minimisation evidence, and subprocessors.

ICT Third-Party & Model Supply Chain (DORA)

Every model provider in the decision path on the register of information, with version pinning, change notification, substitutability, and a tested exit path.

Data protection · GDPR Art. 9 / 35Bias examination · Art. 10(2)(f)Drift vs operating point · Art. 15Logic disclosure · GDPR Art. 15(1)(h)Data lineage · Annex IVHuman oversight · Art. 14

Honest scope

What remains not assessable.

AffectLog does not overclaim. These items require external expertise, regulatory process, or long-term study.

Whether a measured disparity is unlawful discrimination

A disparity is a measurement. Unlawfulness is a legal conclusion involving justification, proportionality, and adjudication — which no evidence platform can reach.

Instead: Route the measured disparity, the proxy analysis, and the business justification to legal and compliance for interpretation against the applicable regime.

Model risk sign-off and supervisory approval

Internal model validation, independent review, and supervisory approval are governance processes with named accountable owners. We produce inputs to them, not the sign-off.

Instead: Engage model risk management and independent validation. Attach our evidence records to the submission as the technical layer.

Error on the applicants you declined

Reject inference is a structural blind spot: production data only contains outcomes for accepted applicants. No amount of monitoring recovers the counterfactual.

Instead: Run a holdout or randomised acceptance study, or use bureau outcomes on declined applicants where lawful. We mark this gap explicitly rather than reporting accuracy as if it were population-wide.

Consumer Duty or conduct-regulation compliance

Conduct compliance is assessed against outcomes for customers across the whole product lifecycle, not against model metrics alone.

Instead: Use the evidence as an input to the conduct review. It is not, and is never presented as, a compliance conclusion.

Example

Sample Ripple for this context.

Ripple — evidence passportCleared with Limits

Creditworthiness Model v2.1

Consumer credit decisioning · Annex III 5(b) high-risk

Evidence78%
Expiry30 Jun 2027
Raw data exportoff
ALP-2026-FIN-C8T2

Access conditions

Drift monitored continuously against the declared operating point
Proxy testing current: postcode, device, and income correlates measured
Per-decision attribution retained — Art. 15(1)(h) explanation reconstructable
No automated decline — human intervention route on every adverse outcome
Model provider on the DORA register; version pinned, change notification contracted
Subgroup disparity reviewed at 90-day intervals; breach revokes the clearance
Reject-inference blind spot recorded — accuracy is not population-wide

What we will not overclaim

AL360° Oceans structures technical and operational evidence for financial AI access decisions. We do not certify fairness, conclude on discrimination, sign off model risk, or determine regulatory compliance. We show measured disparities, drift against the declared operating point, the blind spots in the data, and the review conditions that follow.

Common questions

Questions this context raises.

We have internal model validation — that should be sufficient.

Internal validation answers your model risk framework. It rarely produces what a supervisor, a DPO, or an ombudsman asks for: per-decision attribution retained at decision time, drift since the last retrain, proxy testing, and the DORA position of every provider in the path. The Ripple carries those in one record.

We excluded protected attributes, so the model cannot discriminate.

Excluding a feature does not exclude the information. Postcode, device, employer, and income correlates reconstruct it. Art. 10(2)(f) requires examination for bias, which means measuring what the proxies carry — not asserting that the column is gone.

The model has run for two years without a complaint.

The absence of a complaint is not evidence of correctness — it is evidence that nobody has yet asked. Drift, reject inference, and disparity all accumulate quietly. The first person to ask is usually the one with statutory power to compel an answer.

Get started

Make financial AI reviewable
before the next customer is priced.

Scan the model estate, find which decisions cannot be reconstructed, which vendors are unpinned in the decision path, and which fairness evidence has aged past the last retrain. Then set the conditions each model may operate under.

AL360° Oceans provides technical and operational evidence to support access decisions. Not regulatory compliance, legal advice, or model risk sign-off.