EN
HomeAI Compliance › GPAI

GPAI · ChatGPT · Copilot · Claude

GPAI in banks and insurers: when general-purpose AI becomes a compliance topic

General-purpose AI models and services built on top of them are already used in financial institutions. For institutions, the focus is less on GPAI provider duties themselves and more on controlled use, privacy, inventory, supplier review and role allocation.

What GPAI means

GPAI models are AI models that can be used for a broad range of tasks. Providers such as OpenAI, Microsoft, Anthropic, Google, Mistral or Meta may be subject to provider obligations under Art. 53 to 56 EU AI Act. Financial institutions are typically users or deployers of AI systems and services built on such models.

Typical GPAI use in financial institutions

ServiceTypical useGovernance question
ChatGPT / GPTText analysis, summaries, internal documentationData categories, DPA, TIA, usage rules
Microsoft CopilotOffice, Teams, Outlook, ExcelTenant configuration, permissions, logging
Claude / GeminiResearch, text processing, analysisApproval process and third-country transfer
GitHub CopilotCode supportSource code, security review, IP and privacy questions
Local LLMsInternal analysis of sensitive dataOperating model, model risk, security and monitoring

Governance duties for institutions

  • include GPAI services and API uses in the AI inventory
  • document purposes, data categories and responsible owners
  • review GDPR roles, data processing agreements and third-country transfers
  • ensure AI literacy under Art. 4 EU AI Act for users
  • provider due diligence: Code of Practice status, documentation and security evidence
  • limit shadow GPAI through technical and organisational controls

When the institution may become a provider

Art. 25 EU AI Act is relevant where an institution places an AI system on the market or puts it into service under its own name or trademark, or where material changes to purpose or system occur. Fine-tuning, RAG and own AI applications do not automatically trigger provider duties, but should be assessed for purpose change, high-risk use and external effect.

GPAI Code of Practice

The European Commission published the GPAI Code of Practice on 10 July 2025. It is a voluntary tool for GPAI model providers to demonstrate compliance with transparency, copyright and, for systemic-risk models, safety and security requirements. For institutions, signature and evidence status is a due-diligence signal, but it does not replace their own assessment.

Board-level questions

  • Which GPAI services are officially approved, and which are used in practice?
  • May personal data, customer data or confidential documents be entered?
  • Which providers have signed the GPAI Code of Practice or provide alternative evidence?
  • Which RAG or fine-tuning applications change the purpose of a system?

Would you like to know where your institution stands?

We can discuss your specific situation and prioritise the next steps towards auditable AI governance.

Request an initial conversation

Sources

Notice: This page is for general information about GPAI governance. Provider, deployer and data-protection roles must be assessed for each service, contract and use context. Status: June 2026.