High-Risk AI · Annex III · EU AI Act
AI Act Compliance
for Credit Scoring Models

Credit scoring is classified as a high-risk AI use case under the EU AI Act (Annex III). StatDec's structured validation framework supports financial institutions in aligning their model validation and governance practices with evolving regulatory expectations.

Our approach builds on established model validation practices, extending them to provide:

  • Robust and well-performing models
  • Stability over time and across portfolio changes
  • Transparent and explainable model drivers
  • Consistent model behaviour across customer segments
  • Clear identification and assessment of differences in model outcomes
Annex III
High-Risk Classification
Aug 2026*
Compliance Deadline — see note
7
Validation Dimensions
3-in-1
AI Act · EBA · GDPR Art.22
Request a Readiness Assessment
Regulatory Context
Why credit scoring models are in scope

The EU AI Act classifies credit scoring systems under Annex III as high-risk AI systems — based on their purpose, not the underlying technology.

This means institutions must demonstrate that models are:

  • Appropriately governed throughout their lifecycle
  • Based on sound and representative data
  • Validated, monitored, and documented
  • Transparent and explainable in their decisioning

StatDec's framework addresses key requirements from:

  • EU AI Act (high-risk AI systems)
  • EBA GL/2020/06 (model risk management)
  • GDPR Article 22 (automated decisioning & transparency)

Supporting a consistent and efficient approach to model validation and governance.

Obligations
Key AI Act requirements for credit scoring models
Art. 9 Risk management across the model lifecycle
Art. 10 Data governance and representativeness
Art. 11 Technical documentation (Annex IV)
Art. 12 Transparency and logging
Art. 14 Human oversight mechanisms
Art. 15 Accuracy, robustness, and performance monitoring
⚠️ Prohibited practices (Art. 5)

Require careful assessment of variables and model design to avoid unintended reconstruction of protected characteristics.

Our Framework
A Structured Validation Framework Across the Model Lifecycle

StatDec's framework extends traditional model validation to assess how models behave in practice — across data, features, outputs, and decision outcomes.

01
Data Assessment

Evaluate training and validation datasets for representativeness, completeness, and potential sources of bias.

02
Feature Analysis

Review model inputs to ensure appropriate use, clear justification, and assessment of potential proxy effects.

03
Model Performance

Assess discriminatory power, calibration, and overall model performance.

04
Consistency Across Segments

Evaluate whether model performance and risk estimation are consistent across customer segments.

05
Outcome & Error Analysis

Analyse differences in approval rates, default rates, and error patterns across populations.

06
Monitoring & Stability

Design monitoring approaches covering performance, stability, and behaviour over time.

07
Documentation & Governance

Produce structured documentation supporting transparency, audit readiness, and regulatory review.

What You Receive
Deliverables

Structured outputs designed for validation, governance, and regulatory review:

📋
AI Act Readiness Assessment

Gap analysis of your model inventory against Annex III obligations — scope, gaps, and priority actions.

📊
Model Behaviour & Consistency Analysis

Full validation across the 7 dimensions with documented metrics, findings, and recommendations per model.

📁
Technical Documentation (Annex IV)

Structured documentation aligned with Annex IV expectations, suitable for regulatory review.

🔍
Feature Review & Proxy Risk Assessment

Systematic review of model inputs for appropriateness, justification, and potential proxy effects.

⚙️
Human Oversight Framework Design

Design of oversight mechanisms aligned with Art. 14 requirements and operational workflows.

📅
Monitoring & Validation Framework

Ongoing monitoring plan covering performance, stability, and outcome review over time.

Key Dates
Compliance Timeline
August 2024 In Force

AI Act entered into force. The 24-month clock for high-risk AI obligations started.

February 2025 Active Now

Prohibited practices (Art. 5) fully applicable — including restrictions on proxy variable use. Already enforceable.

August 2026* Key Deadline

Full high-risk AI obligations apply. Credit scoring models must be fully compliant — Annex IV documentation, validation, human oversight, and monitoring frameworks all required. * See regulatory note below.

August 2027 GPAI Rules

General-purpose AI model obligations fully apply. Relevant where LLMs or foundation models are used in any part of the credit decisioning process.

💡 Planning consideration

Given typical model validation cycles of 3–6 months, institutions planning for the August 2026 deadline should consider initiating their assessment in Q1 2026 at the latest. A gap assessment now will clarify the scope and sequencing of work required.

Discuss your model validation requirements

Talk to StatDec about your credit model inventory. We can help assess scope, identify gaps, and design an appropriate validation and governance approach.

Get in Touch
🕒 Regulatory Notice — Implementation Timeline & Scope
* TIMELINE
Compliance deadline under review

The current statutory deadline for high-risk AI system obligations is 2 August 2026. The European Commission's Digital Omnibus package (November 2025), subsequently adopted by the European Parliament, proposes to extend this to 2 December 2027 for Annex III high-risk systems including credit scoring. This proposal requires approval by the Council of the EU and is not yet law. The August 2026 deadline remains technically in force until the amended regulation is published. This page will be updated as the legislative process concludes.

SCOPE
Models already live are not automatically exempt

Under Article 111(2), high-risk AI systems placed on the market before the compliance deadline are not immediately subject to the Act's obligations — unless and until they undergo a substantial modification. For credit scoring models, this includes redevelopment, retraining on new data, addition of new input variables, expansion to a new portfolio or population, and characteristic realignment. Any such change triggers full compliance obligations from that point.

In practice, credit scoring models are routinely modified as part of normal lifecycle management. Institutions should not assume that a model currently in production will remain outside the Act's scope indefinitely. Early preparation reduces the risk of a compliance gap arising at the point of the next model change.

Information Security Policy

This policy aims to protect StatDec’s information from internal and external threats, ensuring the confidentiality, integrity, and availability of information, both for its clients and its own operations.

The policy applies to all employees, partners, and external suppliers of StatDec who have access to the company’s information systems, data, and infrastructure, including data analysis and credit scoring models.

StatDec is committed to the following principles of information security:

  • Confidentiality: We ensure that our clients' information and business data are accessible only to authorized individuals.

  • Integrity: We ensure the accuracy and completeness of information and prevent any unauthorized changes.

  • Availability: We ensure that information and systems are available when needed by their users.

StatDec follows a continuous risk management process that includes the regular identification and assessment of threats in the field of information security, particularly in areas related to data analysis and the development of models for the banking and insurance sectors.

All StatDec employees are responsible for:

  • Following information security procedures.

  • Immediately reporting any security incidents or suspicious activity.

  • Participating in regular training sessions on information security.

This policy fully complies with ISO 27001:2022, as well as all relevant regulations and legislation, such as the General Data Protection Regulation (GDPR) and other data security-related regulations.

The information security policy will be reviewed annually or when there are significant changes in StatDec’s business data and operations, aiming for the continuous improvement of the Information Security Management System (ISMS).

The company ensures that all employees are adequately trained in security procedures through regular training and updates on information security threats.

This policy has been approved by StatDec’s management and will be communicated to all employees and partners for immediate compliance and implementation.

 
Our business Values and practices, as developed over the years are:
 

Commitment & Responsibility – We take ownership of our assignments and we are committed to provide superior services to our clients.

Quality – We believe in our work and we place our outmost care on each project.

Integrity – Proud for our strong business ethics and integrity.

Respect – Statdec’s working culture is in its core based on respect; towards and from our clients and associates, but also between staff members

A Tailored Solution – No two institutions or sets of circumstances are the same; In StatDec we do not offer off-the-shelf solutions but instead approach each project as a unique challenge and delivers targeted solutions set at the correct level for each situation. 

Full Consultation – Success in retail banking involves the interaction of many processes and areas of the business. With our in-depth knowledge and extensive experience of the whole cycle, we are able to advise our clients on the impact of changes not only in the area being examined but also the knock-on effects on other areas of the business.

Not content with just reporting numbers; all of our reports, analysis and other outputs are reviewed by more than one experienced professionals who add targeted consultation and actionable recommendations

Full Disclosure – StatDec abhors the black-box approach offered by many in the industry. In order for a business to progress it is essential that their staff becomes familiar with the rationale, functioning and impact of all parts of the credit cycle. To this end, knowledge transfer is an inherent and fundamental part of every StatDec’s project.

Collaboration – is the key to the success of a project with both parties, StatDec team and the client, working closely together, building trust and each providing important insights; StatDec will bring the same high degree of commitment to every project

IT-Independent Solutions that allow flexibility in implementation alternatives and avoid compatibility constraints

Flexible and Responsive Project Management, so as to link deliverables with findings throughout the analysis

Management

Consulting Team

The consulting team of StatDec is formed by professionals with extensive experience in modelling and consulting in retail portfolios.

Petros Kapasouris, President of the Management Board

Nikolas Karanasios, Chief Executive Officer

Dimitris Velopetropoulos, Senior Risk Manager

Christos Grammatikos,  Senior Risk Manager

Staff

StatDec's analytics and consulting staff has a strong educational background with postgraduate degrees in fields of mathematics, statistics, operational research and decision sciences.  

Training and self-improvement is part of StatDec's business ethics.

  1. Portfolios Valuation
  2. History and Background
  3. Clients
  4. Training

Better decisions with MetaScores

Combine your Models Inventory for an holistic risk assesment with the use of MetaScores 
 

30 Years of Advanced Analytics

StatDec does Predictive Models over the last 30 years. Learn more about us

Indepedent Validation

Achieve compliancy and results with our Models Validation Services

IFRS9 & Basel

Models Development, Consulting and Support is our main business. Learn more on IFRS9 and Basel services.