What the Regulatory Update Triage actually produces

BINDING with effective date: The EU AI Office implementing rules classifying credit-scoring and loan-eligibility models as high-risk under Annex III are formal regulatory instruments with binding legal effect and an August 2, 2026 compliance deadline. This is NOT interpretive guidance; it is a modification to Annex III listing. Phase-in: high-risk AI systems must complete conformity assessment, register in EU AI Registry, and meet Article 17 QMS requirements by the effective date. Post-market monitoring logs must be retained for 10 years from decision date. Conformity assessment route (Article 43 internal vs notified body) must be selected before deadline.

(1) CreditLens – DIRECTLY AFFECTED, P0. Classification: High-Risk (now explicitly in Annex III for credit-scoring). Triggering provision: Article 6 + Annex III(5) (access to essential services, credit scoring). Current state: unclear if conformity assessment has begun. Action: Regulatory affairs must confirm whether internal (Article 43/Annex VI) or notified body (Article 43/Annex VII) route was selected and current status. Deadline: August 2, 2026. (2) DocParser – PLAUSIBLY AFFECTED, P1. Reason: automated KYC document extraction may feed into creditworthiness assessment. If DocParser output is directly used in credit decisions without human review, it may be in-scope for Annex III(5). Action: clarify the intended use and deployment context (is it a pre-decisioning filter or post-decision validation?). (3) FraudShield – NOT DIRECTLY AFFECTED, P2 Monitor. Reason: transaction fraud detection does not fall under credit-scoring or loan-eligibility use cases; however, if FraudShield is positioned as part of an end-to-end credit-risk assessment, it may be in-scope. Action: review product positioning and customer contracts to confirm it is standalone. (4) CustomerIQ – NOT AFFECTED. (5) RiskRadar – NOT AFFECTED (internal-use analytics tool, no consumer-facing decision).

(1) CreditLens Conformity Assessment Route – OWNER: Regulatory Affairs (Sarah Klein). ACTION: Confirm internal vs notified body path selection; if not yet selected, engage procurement to identify notified body by June 1, 2026. DEADLINE: June 1, 2026. QUESTION: What is the current status of technical documentation per Article 11 + Annex IV (design specifications, training data, validation, risk management)? (2) CreditLens EU AI Registry Preparation – OWNER: Regulatory Affairs + Compliance. ACTION: Draft Declaration of Conformity and register system in EU AI Registry by July 1, 2026. QUESTION FOR COUNSEL: Must the Declaration be signed by a C-suite officer or can Regulatory Affairs sign on delegation? (3) CreditLens Post-Market Monitoring – OWNER: Risk/Compliance. ACTION: Establish technical infrastructure to log credit-scoring decisions, adverse outcomes, and disputes for 10-year retention. Audit schedule: monthly disparity analysis by protected class, quarterly trend review. DEADLINE: July 15, 2026 (to be in place before August 2 deadline). (4) DocParser Intended-Use Clarification – OWNER: Product/Legal. ACTION: Document whether DocParser output is used directly in credit decisions or only for data-entry efficiency. If directly in-scope, escalate to Regulatory Affairs for conformity assessment plan. DEADLINE: May 31, 2026. (5) FraudShield Product Positioning Review – OWNER: Product/Legal. ACTION: Confirm FraudShield is not sold or positioned as part of credit-risk assessment. Review customer contracts for scope creep. DEADLINE: June 15, 2026. QUESTIONS FOR COUNSEL: (1) Does the August 2, 2026 deadline apply to systems already deployed, or only new deployments after the effective date? (2) Do customer contracts require our deployers (banks) to implement Article 25 human oversight obligations, and if not, should we amend templates? (3) Is a 10-year log retention mandate technically feasible for systems already in production (CreditLens deployed since ~2020)?