Sovergate
Annex III — High-Risk AI

EU AI Act compliance
for fintech companies

Credit scoring, loan approval, AML risk profiling, and insurance pricing are all classified as high-risk AI under Annex III. Sovergate logs every LLM call, scrubs PII locally, and generates Article 12 reports — all stored in Germany.

Which fintech AI systems are high-risk

Under Annex III of the EU AI Act, the following AI use cases common in fintech are explicitly classified as high-risk.

Annex III, point 5b
Credit scoring and loan approval

Any AI system that evaluates the creditworthiness of natural persons or establishes their credit score. This includes automated underwriting, alternative data scoring, and any LLM used to assess loan applications.

Annex III, point 5c
Insurance risk pricing

AI systems used for life insurance and health insurance risk assessment, pricing, and eligibility decisions.

Annex III, point 5b
AML and fraud risk profiling

AI used for anti-money laundering risk profiling that affects access to financial services falls under point 5b obligations. Note: fraud detection AI that does not affect access to financial services is explicitly excluded.

Annex III, point 1
Biometric identity verification

Any fintech using AI for identity verification using biometric or behavioural data is in scope under point 1.

⚠️ The dual compliance challenge — AI Act and DORA

Fintech companies must comply with both the EU AI Act and DORA. Credit scoring (Annex III, 5b), insurance risk pricing (5c), and biometric verification (1) are all classified as high-risk, requiring risk management (Art. 9), data governance (Art. 10), human oversight (Art. 14), and conformity assessment (Art. 43). The practical implication: fintechs face potential oversight from three or more regulators simultaneously — the national AI supervisory authority, the financial services regulator, and DORA enforcement bodies.

The recommended approach: extend your existing DORA ICT risk management framework to include AI-specific risks under Article 9. Add AI systems to your DORA Register of Information. Sovergate's Article 12 logs integrate directly into this framework.

What Article 12 requires for fintech AI

For every LLM call your credit scoring, loan approval, or AML system makes, Article 12 requires:

  • Automatic logging of every AI decision
  • Tamper-evident records — cryptographic verification that logs have not been modified
  • PII handled in compliance with GDPR — data minimised before logging
  • Minimum 6 months retention — financial services sector rules may require longer
  • Logs available to the ECB, EBA, or national supervisory authority on request
  • Data stored in a GDPR-compliant jurisdiction
The data residency problem for fintech

Every credit assessment your AI system makes contains sensitive personal data — income, debt, payment history, behavioural signals. Logging that data to a US-based service creates dual exposure: GDPR transfer restrictions and EU AI Act data residency obligations. Your legal and compliance team will block it.

Sovergate stores every log entry in Hetzner's data centre in Nuremberg, Germany. No data crosses the EU border.

How Sovergate works for fintech

01
Register your AI system

Create an AI system in Sovergate. Assign it to the correct Annex III category (point 5b for credit scoring). This forms the basis of your Article 12 record.

02
Install the SDK

Two lines in your existing application. No proxy, no middleware, zero added latency.

03
PII scrubbed locally

Before any data leaves your infrastructure, Sovergate scrubs names, email addresses, national ID numbers, IBANs, income figures, and any other personal data identifiers.

04
Immutable audit trail

Every log entry is hash-chained. If any entry is modified, the chain breaks. Your logs are tamper-evident and defensible to the EBA or national supervisory authority.

05
Monthly Article 12 report

Download a regulator-ready PDF for each AI system every month. Pass it to your compliance team. File it. Done.

SDK Integration — 2 lines
import sovergate sovergate.init(api_key="svg_prod_xxxx") sovergate.instrument(openai) # or anthropic, mistral # Your existing code — completely unchanged response = openai.chat.completions.create( model="gpt-4o", messages=[{"role": "user", "content": application_data}] ) # Response returned immediately. # PII scrubbed and log sent to Germany in background.

What your compliance team gets

A monthly PDF per AI system containing:

  • Total AI decisions logged this period
  • PII detection and scrubbing summary
  • Audit trail integrity verification: PASSED
  • Data residency confirmation: Hetzner, Nuremberg, Germany
  • Log retention status: 6 months active
  • Human oversight event record

This is what the EBA or a national supervisory authority will ask for. Sovergate generates it automatically.

Pricing

Growth
€199/month
  • 5 AI systems (credit scoring, AML, insurance…)
  • 1,000,000 requests per month
  • Monthly Article 12 reports
  • PII scrubbing dashboard
Enterprise
€799/month
  • Unlimited AI systems
  • Custom log retention for financial services
  • SLA guarantee
  • DPA signing included

The December 2027 enforcement deadline is closer than it looks.

Initializing the Sovergate SDK takes less than 10 minutes. Securing explicit governance sign-off from your corporate internal audit team takes weeks. Deploy the staging proxy today, export your first verification ledger, and clear compliance blockers early.

Deploy Free Trial ProxyRequest System Demo
100% German Bare-Metal Infrastructure (Hetzner)Article 12 Ledger VerifiedStandard DPA Architecture