What the FRIA is
Art. 27 EU AI Act requires an assessment of the impact on fundamental rights before certain high-risk AI systems are deployed. The FRIA complements a data protection impact assessment, but does not automatically replace it.
Who is particularly affected in the financial sector
Art. 27 particularly covers deployers of high-risk AI systems under Annex III 5(b) and 5(c). For banks and insurers, the FRIA question is therefore especially relevant for creditworthiness assessment of natural persons and for risk assessment and pricing in life and health insurance.
| Annex III | Area | Typical systems |
|---|---|---|
| 5(b) | Access to essential private and public services | AI-supported creditworthiness assessment of natural persons, credit scoring, decision support for loan applications |
| 5(c) | Life and health insurance | AI-supported risk assessment and pricing for natural persons |
| 4 | Employment | HR AI is high-risk relevant; whether private financial institutions have a FRIA obligation must be assessed separately under Art. 27. |
Required contents under Art. 27
- description of the processes in which the AI system is used
- duration and frequency of use
- categories of affected natural persons and groups
- specific fundamental-rights risks in the concrete context
- human oversight measures
- measures if a risk materialises
- after completion: notification of the results to the market surveillance authority using the envisaged template, unless an exemption applies
Fundamental rights relevant to financial services
| Fundamental right | Typical relevance |
|---|---|
| Non-discrimination | Bias in credit, pricing, underwriting or HR processes |
| Protection of personal data | Financial data, health data, creditworthiness data and profiling |
| Right to an effective remedy | Traceability and contestability of AI-supported decisions |
| Human dignity and fair treatment | Avoidance of degrading or fully uncontrolled decisions |
Coordinating FRIA and DPIA
Where personal data is processed and a high risk to individuals exists, a data protection impact assessment under Art. 35 GDPR must also be assessed. Art. 27 EU AI Act expressly provides that the FRIA can complement a DPIA. In practice, a shared analysis process with separately traceable outcomes is sensible.
When the FRIA is prepared
The FRIA must be carried out before the first use of the relevant high-risk AI system and updated if key elements change or are no longer current. For systems already in use, remediation should be included in the AI governance roadmap.