What vendor AI is
When financial institutions think about artificial intelligence, they usually think of conscious decisions: buying a new AI tool, starting a pilot project, approving a budget. Reality is often different. AI may already be part of the existing software landscape.
This is vendor AI: AI functionality in systems from external providers. For banks and insurers it is critical because deployer duties may arise even if the institution did not develop the model itself.
Typical vendor AI systems
| Area | Typical providers | EU AI Act relevance |
|---|---|---|
| Core banking / lending | Temenos, Finastra, Mambu | AI support in credit decision processes may touch Annex III No. 5(b). |
| Credit scoring | FICO, Moody's Analytics, SAS | Creditworthiness assessment of natural persons is a direct high-risk area. |
| AML / fraud detection | NICE Actimize, Oracle FCCM | Fraud detection is expressly excluded from Annex III No. 5(b); other functions may still trigger data-protection, DORA or governance duties. |
| Life/health underwriting | Guidewire, Sapiens, Duck Creek | Risk assessment and pricing in life/health insurance can be high-risk AI. |
| HR recruiting | Personio, SAP SuccessFactors, Workday | Recruiting, matching, performance evaluation and monitoring may trigger high-risk AI and labour-law duties. |
| Chatbot / customer service | Genesys, NICE CXone, Leena AI | Transparency duties under Art. 50 and data-protection issues in customer dialogues. |
The role shift under Art. 25
Art. 25 EU AI Act contains a practically important rule: an organisation that operates a purchased AI system under its own name, substantially modifies it, or uses it for a different purpose can move into provider obligations. A deployer role then becomes a significantly more demanding compliance situation.
- Branding: operation of a vendor system under the institution's own name or brand.
- Substantial modification: adaptation affecting purpose, performance or risk classification.
- Change of purpose: use for a purpose different from that intended by the provider.
The assessment depends on the individual case. A wrong assumption that the institution is only a deployer can create significant gaps in documentation, conformity and supplier control.
CSRD / ESRS: vendor AI as part of the value chain
Vendor AI can also be relevant for CSRD / ESRS. CSRD requires reporting on own operations and, where applicable, value chains, products, services and business relationships. If purchased AI systems cause discrimination risks or human-rights impacts, procurement, supplier management and governance need to be prepared.
The vendor list must not only be searched for product names. Release notes, contractual basis, actual use, business processes, role allocation and risk classification are decisive. Procurement, IT, compliance and business units must work together.