K-AI
FREN
Get a demo
SolutionHow it worksImpactNewsPartners
FREN
Get a demo
← All news
Press · May 20, 2026 · 9 min read

The AI Act on the business side: the bank-insurance Compliance Director's checklist

The AI Act on the business side: the bank-insurance Compliance Director's checklist

The EU AI Act and the bank-insurance Compliance Director: 6 concrete obligations to put in place before August 2, 2026, and the trade-offs being made now.

In my conversations with Compliance Directors at large bank-insurance groups over the past few weeks, the tone has changed. The AI Act is no longer a topic to study — it is a topic to steer. The texts have been read, the scopes are broadly clear, but the operational side stays fuzzy. Who does what, on which AI system, with what level of evidence: until those lines are drawn, the compliance team flies blind.

This article draws those lines from the point of view of the business Compliance Director, not the corporate lawyer. Six concrete obligations that crystallize in the field, and five trade-offs that recur in almost every review. The AI Act checklist for the bank-insurance Compliance Director, 75 days before an official deadline that is being politically reopened.

Where the AI Act stands on May 20, 2026

Regulation (EU) 2024/1689 entered into force on August 1, 2024, and most of its provisions apply from August 2, 2026, including the obligations for high-risk AI systems in Annex III. For bank-insurance, that covers creditworthiness assessment of natural persons and pricing in life and health insurance. Fraud detection stays out of scope.

On May 7, 2026, the Council and Parliament reached a provisional political agreement (the “Omnibus VII” package) proposing to postpone the application of high-risk rules for stand-alone systems to December 2, 2027 (and to August 2, 2028 for systems embedded in products). Until that agreement is published in the Official Journal, the August 2, 2026 date remains legally binding. Steering on the assumption of a postponement is a bad bet.

On the French front, two structuring signals. The ACPR, designated market surveillance authority for AI in the financial sector, held an industry meeting on September 17, 2025 and set up a cross-functional task force. And EIOPA, on the insurance side, published on August 6, 2025 its Opinion on AI governance and risk management (EIOPA-BoS-25-360), which formalizes European prudential expectations — data governance, traceability, fairness, cybersecurity, explainability, human oversight.

Independently of the potential 2027 postponement, the supervisors have already published their expectations. The operational window is not the sanctions deadline — it is the summer of 2026, when your prudential supervisor begins asking its first targeted questions.

The Compliance Director’s 6 concrete obligations

Inventory and high-risk qualification

Before any other obligation: who knows, in your organization, which AI systems run in production today on Annex III perimeters? In most organizations the answer is: “IT has one list, the business has another, compliance hasn’t decided.” The high-risk AI inventory must be held by the business Compliance Director, not inherited from an application registry. Annex III qualification is a business qualification decision: it engages your responsibility.

Living technical documentation (Article 11 + Annex IV)

Each high-risk AI system must keep technical documentation up to date throughout its use: intended purpose, data used, performance, risk-management measures, residual bias, governance. The important word is living: these are artifacts updated at every significant change, not a file written once for go-live. It is the most underestimated workstream in the field: it forces you to industrialize the production of evidence.

Fundamental rights impact assessment (Article 27)

For deployers carrying out a creditworthiness assessment or life/health insurance pricing, the AI Act requires a fundamental rights impact assessment (FRIA) and notification of the result to the competent national authority. This obligation is new, and it is not a by-product of the GDPR DPIA: it has its own scope, its own methodology, its own recipient. It is the obligation where your supervisor will look for evidence of your work first.

Effective human oversight (Article 14)

The AI Act requires human oversight to be performed by natural persons with the necessary competence, training and authority. That means three concrete things. A name — not a function, a designated person for each system. A trace that this person actually reviewed sensitive decisions within a timeframe consistent with the stakes, not after the fact in a monthly report. Real authority to stop: without the power to suspend, oversight is cosmetic.

Explainability to the affected person (Article 86 + GDPR Article 22)

When an automated decision with individual impact is made by a high-risk AI system, the affected person has a right to a clear explanation of the factors taken into account, in accessible terms. For bank-insurance, this transforms the standard wording of credit refusals, insurability refusals and pricing adjustments. A complaint response that says “our model assessed your file” is no longer enough. The stakes are not legal, they are operational: your customer relationship runs through it.

Post-market monitoring and shutdown protocol (Article 72)

The deployed AI system must be monitored continuously, and serious incidents reported. That assumes a mechanism to measure performance over time, an alert threshold, and — this is what separates serious arrangements from cosmetic ones — a shutdown protocol that can be triggered quickly in case of confirmed drift. If you cannot demonstrate, on an internal test case, that you can switch off a model in under 48 hours without breaking customer service, your file is not credible.

Five trade-offs being decided right now

Beyond the checklist, it is the trade-offs that make the difference between a theoretical arrangement and one that will withstand supervision.

Who owns the high-risk AI register? The business Compliance function, with IT feeding it continuously. Not the other way around. If IT holds the register, the qualified risk is the wrong one.

Does the Article 27 FRIA duplicate the GDPR DPIA? No. Merging them into a “hybrid” format loses both. Better two distinct exercises, signed on distinct dates, addressed to different recipients.

Who assumes human oversight on an AI system shared across several business lines? Not the project RACI. You need a governance decision that designates one responsible business line, tasked with coordinating the others. Shared oversight is, in practice, nonexistent.

Suspend the go-live of an Annex III system until the arrangement is in place? I almost always lean toward partial suspension: controlled pilot, narrow perimeter, reinforced oversight, the time to stabilize the evidence. The operational cost is lower than that of a non-compliant file spotted by the supervisor.

Should you wait for confirmation of the December 2027 postponement to calibrate the effort? No. The postponement is not secured, EIOPA and the ACPR have already published their expectations, and the lag between “arrangement written” and “arrangement operating” is measured in months. Better to be ready by summer 2026 and use 2027 to refine.

Frequently asked questions

Which AI systems in a bank or insurer are qualified as high-risk by the AI Act?

Systems assessing the creditworthiness of natural persons (credit scoring) and systems for risk assessment and pricing in life and health insurance are listed in Annex III. Fraud detection benefits from an explicit exception. Decision-support systems in property underwriting or claims management are not systematically Annex III, but can tip into it depending on the degree of automation and the impact on the affected person — one of the trickiest qualification questions.

Who holds the high-risk AI register in a bank-insurer?

The business Compliance function must be its guarantor. IT continuously feeds the underlying application inventory, but it is the qualification decision — Annex III or not, perimeter, risk classification — that determines entry into the register. That decision engages the Compliance Director’s responsibility. An organization that lets IT hold the register risks an under-rated qualification.

Does the AI Act FRIA replace the GDPR impact assessment (DPIA)?

No. The Article 27 fundamental rights impact assessment has its own scope (impact on fundamental rights by a high-risk AI system), its own methodology, and a distinct recipient (the competent national authority, in France the ACPR for bank-insurance). The GDPR DPIA remains mandatory in parallel whenever personal data is processed. The two exercises share the same source data but do not substitute for each other.

How do you concretely demonstrate the effective human oversight required by Article 14?

Three forms of evidence converge: the named designation of a person with the required training and authority, dated traces of real reviews of sensitive decisions within timeframes consistent with the stakes, and a documented shutdown protocol that can be triggered quickly. A log that only records user activity is not proof of oversight. The supervisor will look for the trace of a human review that could, in fact, have modified or cancelled an automated decision.

Should you postpone AI Act workstreams while waiting for confirmation of the December 2027 delay?

No. As of May 20, 2026, the postponement is the subject of a provisional political agreement but has not been adopted; the August 2, 2026 date remains legally binding. Above all, EIOPA and the ACPR have already made public their prudential expectations, which apply independently of the AI Act sanctions calendar. Aiming for compliance by summer 2026 is the right calibration, even if it means using 2027 — should the postponement be confirmed — to refine the evidence.

Conclusion — Preparing for August 2 means winning 2027 rather than enduring it

The AI Act is not an abstract legal object for the Compliance Director of a bank-insurer. It is an operational arrangement to install: six concrete workstreams — inventory, living documentation, FRIA, human oversight, explainability, monitoring — and structuring trade-offs being decided now. The political postponement of May 7, 2026 shifts the sanctions deadline, not the prudential expectations.

The right reflex is to aim for compliance by August 2, 2026 and to use the extra year, where applicable, to stabilize evidence and industrialize processes. That is the angle of attack we install at K-AI with our bank-insurance clients: an operational arrangement, not a corporate file. If you want to discuss it on your own perimeter, contact the K-AI team — no pitch, just an outside view on your six workstreams and five trade-offs.

Olivier Jourdran, COO K-AI

Cited sources

K-AI already works with CMA CGM, Veolia, PwC, BNP Paribas, TotalEnergies and CEVA Logistics. Partners: AWS, Snowflake, Microsoft, Wavestone, Devoteam.

And in your organization, what does your document estate look like?

30 minutes with a founder. We audit a sample of your documents for free and show you exactly what K-AI detects.

Book a demo → Read other articles