AI and credit scoring: what lenders need to know

By Pierre Berger, Partner and Nicolas Kalokyris, Lead Lawyer, DLA Piper

Artificial intelligence (AI) is reshaping the way lenders assess creditworthiness. Traditional credit scoring models, based on limited financial indicators and linear equations, are gradually being replaced by systems powered by machine learning. These newer models can process large volumes and complex data. This offers faster but also more nuanced insight to assess a borrower's risk profile.

While this evolution opens the door to greater financial inclusion and improves risk prediction, it may also raise legal and ethical questions. In response, the European legislator and supervisory authorities are putting safeguards in place to ensure fairness, transparency and accountability.

1. From scoring systems to algorithmic decisions

Technological innovation plays an increasingly important role in the lending process. From a regulatory point of view, lenders have always focused on potential borrowers’ creditworthiness when deciding whether to grant loans, using credit scores to assess a borrower’s ability to repay a loan. To generate credit scores, lenders analyzed the data available to them about loan applicants, including transaction and payment history, monthly income, marital status, and employment status. Applicants who scored above the minimum required would be approved for loans.

Banks and other lenders quickly saw the potential of AI and machine learning. These technologies enable the use of big data and, increasingly, alternative unstructured and semi-structured data sources to build a more refined view of creditworthiness and improve scoring. Algorithms can incorporate additional qualitative factors, such as consumption patterns and willingness to pay. This leads to faster, and cheaper segmentation of the borrower’s profile and, in the end, a faster decision on whether to grant a loan.

According to recent studies, credit scoring models based on machine learning generally predict a loan applicant’s risk of defaulting better than the traditional empirical models do, in particular because they include non-traditional information that improves the model’s predictive power.

However, this increased accuracy has a cost: AI-driven decisions are often difficult to interpret. This is especially the case when borrowers are denied credit based on criteria they don't understand (an issue known as the "black box" problem).

2.The EU regulatory framework

2.1.GDPR – data and decision rights

The GDPR[1] provides that people have the right not to be subject to decisions which are based solely on automated processing when those decisions have legal or significant effect on the person.

The Court of Justice of the EU (CJEU) clarified what this meant in the context of credit scoring. In Case-634/21 (QQ v. SCHUFA)[2], it ruled that even if a score is not the final decision, it still qualifies 

as automated decision-making if it strongly influences the outcome. In other words, preliminary steps such as calculating a credit score can already trigger data protection rights.

In the Case C-203/22 (Dun & Bradstreet Austria)[3], the Court added that individual must receive meaningful explanation as to how such decisions were made. Just naming the algorithm or using technical terms isn't enough. Lenders must explain what data was used, how it was processed and why the result matters.

2.2.AI Act - credit scoring as a high-risk AI

The recently adopted EU Artificial Intelligence Act[4] classifies AI systems used to assess creditworthiness as "high-risk". This means that institutions using such system must comply with strict obligations on transparency, data quality, human oversight and accountability.

In this context, lenders are typically considered "deployers" of AI systems, as they are entities who use the AI system in their credit decision-making processes. However, if a lender develops its own credit scoring tool, it may also be seen as a "provider". In most cases, when using tolls developed by third parties, bank and financial institutions will fall under the deployer category and must then meet the specific deployer obligations of the AI Act.

Such a classification means that lenders must:

• Ensure that human oversight is effective;

• Maintain transparency around how their system work;

• Monitor the system for bias, ensure data quality and update the models as needed.

2.3.Consumer Credit Directive II – New rights for consumers 

A major update is also coming via the Consumer Credit Directive II[5], adopted in late 2023 and set to apply from November 2026. This Directive strengthens consumer rights in the credit scoring process when the creditworthiness assessment involves the use of automated processing of personal data (including AI). Borrowers will have the right to:

• Receive a clear and understandable explanation of the logic behind credit decisions;

• Express their own point of view to the lender; and

• Request a review by a human of automated decisions.

2.4.EBA guidelines – credit risk supervision and model governance

In addition, financial institutions must also comply with the guidelines issued by the European Banking Authority (EBA) on loan origination and monitoring[6]. These guidelines set forth the prudential requirements with which institutions must comply if their lending activities include the use of technological solutions or automated models to evaluate creditworthiness and/or make credit decisions. 

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

[2] EUR-Lex - 62021CJ0634 - EN - EUR-Lex

[3] EUR-Lex - 62022CJ0203 - EN - EUR-Lex

[4] Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828. 

[5] Directive (EU) 2023/2225 of the European Parliament and of the Council of 18 October 2023 on credit agreements for consumers and repealing Directive 2008/48/EC

[6] European Banking Authority, Guidelines on loan origination and monitoring, EBA/GL/2020/06, May 2020.