AI Governance in Fraud Detection

When European lawmakers drafted GDPR's provisions on automated decision-making, few anticipated how rapidly AI would transform fraud detection. The vague requirement for "meaningful information about the logic involved" seemed manageable when rules were straightforward. Five years later, as neural networks and ensemble models increasingly drive transaction approvals, those same provisions have taken on new significance. Now, with the EU AI Act set to classify fraud detection as "high-risk AI," financial institutions face a profound shift in how they select, deploy, and govern their critical security infrastructure.

The Right to Explanation Under GDPR

While GDPR does not explicitly mandate a full "right to explanation" but establishes key principles requiring AI decisions to be transparent and contestable:

• Article 22(1): Consumers have the right not to be subject to a decision solely based on automated processing if it has significant legal effects.
• Articles 13, 14 & 15: Organisations must provide "meaningful information" about how automated systems reach decisions, including their logic and significance.
• Article 22(3): AI-driven decisions must include the option for human review and challenge mechanisms.

Key takeaway: Vendors providing fraud detection AI must ensure transparency in their decision-making processes, and financial institutions must provide clear communication channels for disputed transactions.

How the EU AI Act Expands These Requirements

Unlike GDPR, which broadly applies to data processing, the AI Act directly regulates AI models—especially high-risk applications in financial services. While fraud detection is not explicitly listed under Annex III (Article 5(b)), it falls under regulatory scrutiny through:

1. Article 6(2): High-Risk AI by Regulatory Obligation

   • AI used in fraud detection is subject to PSD2 (RTS-SCA) and AMLD6 compliance.
   • Because these regulations mandate fraud prevention measures, AI used in these processes is classified as high-risk AI under the AI Act.

2. Recital 38: Financial & Consumer Protection Risks

   • AI systems affecting financial security and consumer rights fall within the AI Act's remit.
   • Fraud detection AI influences access to financial services and transaction security, making it subject to enhanced oversight.

3. Explainability, Bias and Oversight Requirements

   • AI vendors must document decision-making processes to allow financial institutions to meet explainability standards.
   • Models must be tested for bias and fairness to prevent discrimination.
   • Human intervention processes must be clearly defined and regularly audited.

Key takeaway: Issuers and payment providers must treat fraud detection AI as high-risk, requiring enhanced governance, documentation, and bias monitoring.

The UK's "Innovation-First" Approach: Will It Diverge?

The UK has taken a lighter regulatory stance on AI compared to the EU but remains closely aligned:

• UK AI White Paper (2023) prioritises pro-innovation principles but encourages sector-specific regulators (like the FCA) to enforce AI transparency and accountability.
• FCA & BoE AI Discussion Paper signals that AI oversight in financial services will likely mirror EU requirements.
• While the UK avoids the prescriptive high-risk classification of the AI Act, financial AI models are expected to undergo similar governance scrutiny.

Key takeaway: UK issuers should prepare for AI explainability and risk governance frameworks, even if formal classification as "high-risk" AI is less explicit.

Selecting AI Vendors: Key Governance Questions

Smart Rules

• Transparency & Documentation:

  • Can vendors provide audit trails explaining rule-based fraud detection decisions?
  • Are rule modifications documented and traceable for regulatory reporting?

• Adaptability:

  • Can smart rules be adjusted dynamically for evolving fraud patterns while maintaining compliance?

AI Models

• Explainability & Fairness:

  • What level of model interpretability is provided for regulators and auditors?
  • How are models tested for bias and discrimination?

• Performance & Oversight:

  • How is AI model performance monitored over time to prevent accuracy degradation?
  • What human oversight mechanisms are embedded into AI decision-making processes?

• Regulatory Compliance & Flexibility:

  • Can the vendor adapt models quickly to meet evolving EU & UK regulations?
  • Do they support regulatory impact assessments (DPIAs & AI risk assessments)?

Conclusion

Financial institutions cannot afford to treat fraud detection AI as a "black box"—explainability, fairness, and human oversight are now regulatory imperatives. The EU AI Act formalises these governance requirements, while the UK maintains flexibility but will likely align over time. Vendors must proactively provide documentation, bias mitigation, and compliance-ready governance, and issuers must hold them accountable. Now is the time for financial institutions to assess their AI strategies and ensure they meet these evolving standards.