EU AI Act & AML: What Compliance Teams Actually Need to Know
The EU AI Act is a reality. And it affects AML teams immensely and sooner than you think. How it applies to different tools and situations is a complex answer. But getting it wrong can cause serious problems.
On the other hand, overestimating its impact will lead to unnecessary expenses and panic. However, underestimating it will expose you to great regulatory risks. What AML teams really need is to know what the law says actually.
We created this guide to help you understand and navigate the EU AI Act and answer your questions about it, so you don't get behind.
Section 1: Timeline First When Does This Actually Apply to You?
When did the EU AI Act come into force?
The new law emerged on August 1, 2024. A lot of people get this date wrong since they think it is when all the rules start. However, that is not how it works in reality. The law has a timeline that keeps moving rapidly. There is a difference between the law coming into force and the law being enforced. Hence, we should be aware that the law has rules that apply at different times.
What is the August 2026 deadline and what does it cover?
August 2, 2026, is the main deadline for compliance. This is the day when most of the rules from the Act will start being enforced, including rules for AI systems that are considered risk. If you have AI systems in your compliance system that are considered risk according to Annex III, August 2, 2026, is the date you need to be completely ready for the AI systems. You should be fully prepared for regulations about the high-risk AI systems, by then. The AI systems and you need to be ready.
What is the August 2027 deadline and who does it affect?
The European Union has rules that are on effect to keep people safe when they use products. Some of these products have high-risk Artificial Intelligence systems in them. These Artificial Intelligence systems have to follow the rules that are set. And now, they have to start following the rules that are coming to effect on August 2, 2027. This might sound like a distant future, but it is actually sooner than you might think. If you are not sure if your Artificial Intelligence systems have to follow these rules, you should think about what you need to do in 2026 and then work your way back from that date with your Artificial Intelligence systems.
Is there anything I need to do right now?
Yes, there is plenty to do. This is where most teams fall behind without realizing it. The 2026 deadline is close. Now you need to do something called classification. This means you must look at every Artificial Intelligence system in your Anti Money Laundering and compliance stack thoroughly. You have to figure out which risk category each Artificial Intelligence system belongs to. Also, you must write down why we made that decision and find out if there are any gaps, in how you are governing these Artificial Intelligence systems. You should not wait until six months before the 2026 deadline to start doing this work.
Section 2: The Classification Problem Not All AML AI Is "High Risk"
What does Annex III actually say about financial services AI?
The part of the Act is that it lists high risk Artificial Intelligence system categories that is called Annex III. This section of the Act focuses on the financial services area. It clearly says that Artificial Intelligence systems used to figure out how creditworthy someone is or to set up credit scores are classified high risk. What this section does not do is make a group called Artificial Intelligence systems for Anti Money Laundering or Artificial Intelligence systems, for financial crime. This difference is really important. It is one of the things that most people completely miss when they look at Annex III and the Artificial Intelligence systems that it talks about.
Why is credit scoring treated differently from fraud detection?
The Act looks at Artificial Intelligence based on what Artificial Intelligence does and who Artificial Intelligence affects, not what industry Artificial Intelligence is part of. When it comes to credit scoring, it has an effect on whether or not someone can get financial services. This is why credit scoring is considered a risk. On the other hand, fraud detection just points out transactions or behaviors that need to be looked at more closely by a human. The effect on individuals is not the same. The Act takes this difference into account.
If my tool detects financial crime, is it automatically high risk?
No. This is the mistake people make. The Act says that AI systems that are used to find fraud are not automatically considered high risk like other systems that are related to credit. This does not mean that AI systems that detect fraud do not have to follow any rules. It means that we have to look at these systems carefully. You cannot just look at a tool. Say it is used for financial crime and then decide how it should be classified. What really matters is what the system does and how it affects people. The Act is trying to say that we should look at what the AI system does and how it affects people to figure out how it should be classified.
What about FIUs are they covered under law enforcement provisions?
This is something that not many people are discussing. The Act says that Financial Intelligence Units that do jobs like office work under the rules to stop money laundering in the country are not seen as law enforcement people when it comes to the law about intelligence used by law enforcement. The people who made the law did this on purpose. This means that the artificial intelligence tools used by Financial Intelligence Units do not have to follow the rules that law enforcement has to follow but the teams that make sure people follow the rules still need to know exactly how their tools fit into all of this. Financial Intelligence Units and their artificial intelligence tools are not automatically subject to the rules, so compliance teams need to understand the rules that apply to Financial Intelligence Units and their tools.
So how do I actually classify my AML system?
When we make a system, we should start with what it does not what we call it. We need to ask ourselves what kind of decision this system will help with or make on its own? Who are the people that will be affected by this decision and how much will it affect them? We also need to check if this system fits into any of the categories listed in Annex III. We should go through these questions one by one. Write down our thoughts.
The regulators want to see how we figured out what kind of system this is, so we have to document everything.
Section 3: If Your System IS High Risk, What's Required?
What obligations apply to high-risk AI systems?
The list is really long. High risk AI systems need to have a risk management system that is used all the time from start to finish. They also need to have control over the data make sure the data is good have documentation that explains how things work automatically keep track of what happens have people watching to make sure everything is okay and make sure everything is accurate, strong and safe, from cyber-attacks. High risk AI systems need all of these things. You cannot just check the box. Say you have them. High risk AI systems have to be built with these things in mind. It makes a difference. High risk AI systems are very important.
What does "human oversight" mean in practice for AML teams?
The system needs to be set up so that a person can easily understand it, keep an eye on it and stop it when necessary. For Anti Money Laundering teams this means that alerts need to be clear recommendations need to be explained in a way that makes sense, and analysts need to be able to work with the outputs that the Artificial Intelligence system comes up with. If a system just gives a risk score without saying how it got that score, then it is not good enough. It is also not good enough if an analyst has to click through something they do not understand. The Anti Money Laundering teams need to be able to work with the Artificial Intelligence system in a way that makes sense to them.
What does data governance look like under the Act?
We need to make sure our training data, validation data, and testing data are quality. We have to find and deal with bias in the data. It is also important to keep track of where our data comes from.
For AML systems that learn from decisions, which is happening more and more, we need to be able to say what data the model was trained on. We need to know if that data is representative and how we handle bias.
If we cannot answer these questions about the AML system, we are using, then we have a problem that we should fix now. We should be able to explain what data the AML system was trained on and how we made sure it was fair.
What is "compliance at the level of architecture" and what does it mean for my team?
You cannot make a system follow the rules if it was not made to do that from the start. The people in charge need to be able to see what the system is doing and understand how it works. The system also needs to keep a record of everything it does and manage. These things need to be part of the system, from the beginning not added
When teams are looking at vendors, they need to ask this question: did the people who made this system think about the EU AI Act when they were building it, or are they trying to make it follow the rules afterwards? The EU AI Act is very important. Teams should make sure the system was designed with it in mind.
Section 4: What This Means for AML Vendors
Do I need to audit my vendors' AI systems?
Yes. The Act says that organizations using AI systems are responsible for following the rules. This responsibility cannot be passed to the vendor. You have to know what the vendors system does. You also have to know how it is classified. Then you have to check if it meets the requirements for that classification. A vendor who can't clearly answer these questions is a compliance risk. They are a risk not because of technology but also because they may not be able to help you follow the rules.
What questions should I ask my AML technology provider?
Start here. I want to know how you have figured out what kind of AI systems you have under the EU AI Act and what is the reason behind this classification. How does your system make sure that people are in charge and can control what is happening. Can you tell me how the model comes up with its answers and can the people who use the platform understand how it works. What rules do you have in place to make sure the data you use to train and test the system is good. How do you make changes to the model. Do you have to check again if it is still okay when you make these changes. If someone cannot give you answers to these questions that say something important, about them.
How does Sanction Scanner's FUSION platform approach EU AI Act compliance?
FUSION was built on an idea: artificial intelligence used for compliance must be easy to understand, and people must be able to check what it does. This means that every suggestion the artificial intelligence makes can be tracked back to where it came from. It might be from a decision made in the past, a match from a list, or a pattern of behavior. The people who use the system can choose to go with what artificial intelligence says, or they can override it or send it to someone else to look at. Every time someone does something with the system, it gets written down. The system is set up so that people are always in charge of what artificial intelligence does. This is not just because the rules say so. Because that is the only way artificial intelligence can really work when it comes to compliance. FUSION is about making sure that artificial intelligence is used in a way that makes sense for compliance.
Section 5: The 3 Questions Every Compliance Team Should Ask Right Now
Before August 2026, every compliance team should be able to answer these three questions clearly and in writing.
What does each AI tool in our AML stack actually do, and have we documented it?
This is not about what the vendor says it is. It is not about the group they put it in when they sell it. What really matters is what it actually does. You have to think about what it does one step at a time and how it changes the way we make decisions, about people or when we buy and sell things. If you cannot explain what it does in a way then you cannot put it into the right category.
Have we mapped each tool to Annex III based on a function not label?
The classification cannot start with a conclusion. It has to start with the function, work through the Annex III criteria, and arrive at a documented, defensible answer. "We use it for AML so it must be high risk" is not a classification. It is a guess.
If a regulator asked us to explain a system of risk classification tomorrow, could we?
This is the real test. Not whether you have thought about it. Whether you could put a clear, documented answer in front of a regulator today. If the answer is no that is the place to start.
