Financial Services: EU AI Act meets DORA

Financial services is the sector with the most complex AI regulatory environment. AI in finance is governed by the EU AI Act, GDPR, the Digital Operational Resilience Act (DORA), the FCA's Consumer Duty, PRA model risk expectations, and EBA guidance — a regulatory stack that requires careful coordination.

DORA and AI: What You Need to Know

DORA (Digital Operational Resilience Act) applies to financial entities in the EU from January 2025. Its AI-specific implications are significant:

• ◆ICT risk management — AI systems are ICT systems under DORA; they must be covered by your ICT risk management framework
• ◆Third-party risk — AI vendors are third-party ICT providers under DORA; contracts must include specific provisions, concentration risk must be assessed
• ◆Operational resilience testing — AI systems supporting critical functions must be included in DORA's mandatory resilience testing
• ◆Incident reporting — AI-related operational incidents meeting DORA's severity thresholds must be reported to regulators

High-Risk AI in Financial Services

The EU AI Act classifies several financial AI applications as high-risk under Annex II:

• ◆AI used in creditworthiness assessment and credit scoring
• ◆AI used in life and health insurance risk assessment and pricing
• ◆AI used in applications for public and private benefits and services

For these systems, the full suite of high-risk obligations applies: technical documentation, conformity assessment, registration in the EU database, human oversight, accuracy and robustness standards.

FCA and Consumer Duty

The FCA's Consumer Duty, fully in force from July 2024, requires firms to demonstrate good outcomes for retail customers. AI systems that interact with or make decisions affecting retail customers must be assessed against the four Consumer Duty outcomes: products and services, price and value, consumer understanding, and consumer support. The FCA has made clear that algorithm-driven customer outcomes are within scope.