Written by: Agata Wojtas, Chief Commercial Officer, Digital Colliers
If you run automated credit scoring in the EU, the compliance clock isn't ticking toward 2027. It already went off. The Court of Justice ruling in SCHUFA (C-634/21, December 2023) settled that automated credit decisions fall under Article 22 GDPR, which means the paperwork you'll need for AI Act high-risk classification in 2027 is largely paperwork you should have on the shelf right now.
Most credit teams I talk to are planning a 2026 project to get ready for the AI Act. That's the wrong shape. The GDPR exposure exists today. The AI Act just adds a second layer on top of it.
What SCHUFA actually said
The ECJ ruled that generating a probability score used by a third party to decide on credit qualifies as an automated individual decision under Article 22. That matters because Article 22 gives the data subject specific rights, and it puts specific obligations on the controller.
In practice, if your model outputs a score that meaningfully drives a lending decision, you owe the applicant:
- A meaningful explanation of the logic involved, not just "the model said no"
- The ability to contest the decision and request human review
- A lawful basis under Article 22(2), which for most lenders means explicit contractual necessity or explicit consent
- A documented data protection impact assessment covering the scoring logic, the training data, and the fairness controls
GDPR fines reach up to 20 million euros or 4% of global turnover, so this isn't a paperwork exercise you can defer. Supervisory authorities across the EU have started citing SCHUFA in enforcement actions against fintechs and traditional lenders alike.
Why 2027 is a red herring
The EU AI Act's high-risk obligations apply from 2 December 2027. Credit scoring is explicitly named as high-risk in Annex III. Fines reach up to 15 million euros or 3% of global turnover, and they stack on top of GDPR exposure, not replace it.
But here's the thing. The AI Act's high-risk requirements read like a superset of what SCHUFA already forces you to document:
- A risk management system across the model lifecycle
- Data governance covering training, validation and test sets
- Technical documentation of model architecture and performance
- Logging sufficient to reconstruct decisions
- Human oversight measures
- Accuracy, robustness and cybersecurity evidence
If you build the SCHUFA file properly, you're most of the way to the AI Act file. If you wait until 2026 to start, you'll be rebuilding the GDPR work anyway, and you'll have spent two more years shipping decisions you can't fully defend.
The documentation you should have right now
This is the concrete shortlist. If any of these is missing, that's the gap to close first.
- A model card describing inputs, outputs, training data provenance, and known limitations.
- A DPIA that specifically addresses Article 22, including the legal basis you're relying on and the human review path.
- Fairness testing across protected attributes, with results and mitigations documented, not just "we tested it."
- Adverse action explanation logic that produces a specific, meaningful reason per decision, not a generic reason code.
- A decision log with enough detail to reconstruct any individual score for at least the statutory retention window.
- A human review workflow with named roles, SLAs, and evidence that reviewers can actually override the model.
None of this is new. It's just that most lenders built their scoring stack before any of it was required, and the retrofit keeps getting deprioritised.
Scoping the work honestly
A realistic scoping pass has three phases. First, an inventory. List every automated decision that touches credit, including pre-approval, limit changes, and collections triage. A lot of teams miss the last two.
Second, a gap assessment against the SCHUFA checklist above. Be honest about what exists as a living document versus a slide from 2022.
Third, a build plan that treats the AI Act as an extension of the GDPR work, not a separate track. The teams I see handling this well are the ones who put one owner across both regimes, usually sitting between the model risk function and the DPO. When those two functions run parallel projects, the documentation drifts and the auditor finds the seams.
DORA has been in force since 17 January 2025, which means your operational resilience evidence is already being examined. Regulators are getting comfortable asking hard questions about AI systems inside financial services. The lenders who look organised in 2027 are the ones who started in 2024.

