Your mortgage application was rejected. You asked why. CreditCore Bank's support bot replied: "Your application did not meet the criteria of our credit assessment model. We are unable to share details of our proprietary scoring methodology as this constitutes confidential business information. You may reapply in 6 months."
The Situation
CreditCore Bank uses an AI credit scoring system to evaluate mortgage applications. The system processes hundreds of data points — income, spending patterns, location, employment history — and outputs a score that determines your eligibility. When it says no, the bank hides behind "proprietary methodology."
This is exactly the scenario the EU AI Act was designed to address. Credit scoring is explicitly named as a high-risk AI use case. High-risk means specific obligations — including the right to explanation — that override the bank's desire to keep its model secret.
Key Law
- EU AI Act Article 86 — Right to Explanation — any person subject to a decision made with the assistance of a high-risk AI system has the right to obtain an explanation of the role the AI played in the decision-making procedure and the main elements of the decision. EU AI Act
- EU AI Act Annex III — Credit Scoring is High-Risk — AI systems used to evaluate the creditworthiness of natural persons or establish their credit score are explicitly classified as high-risk. CreditCore Bank cannot argue otherwise.
- EU AI Act Article 13 — Transparency — high-risk AI systems must be designed so that their operation is sufficiently transparent. A bank is not required to reveal its source code or model weights, but "proprietary methodology" cannot serve as a reason to withhold a meaningful explanation of the main factors that influenced your specific decision.
- GDPR Article 22 — Automated Decision-Making — you have the right not to be subject to a decision based solely on automated processing that produces significant effects. You have the right to human review, to express your point of view, and to contest the decision.
Arguments That Strengthen Your Case
- Name the classification — EU AI Act Annex III explicitly lists credit scoring as high-risk. CreditCore Bank cannot claim their model falls outside this category.
- Invoke Article 86 — request a written explanation of the main factors the AI weighed in your specific case. They are not required to share source code or model weights, but they must provide a meaningful account of the logic behind your outcome.
- Invoke GDPR Article 22 simultaneously — request human review of the automated decision and the opportunity to express your point of view. This right exists independently of the AI Act.
- Set a deadline — GDPR Article 12 gives them one month to respond to data subject rights requests. State that you will escalate to your national data protection authority if they do not comply within that timeframe.
About This Case
Can a bank refuse to explain an AI credit decision?
No. EU AI Act Article 86 requires deployers of high-risk AI systems to provide meaningful explanations of individual decisions to affected persons. Credit scoring is explicitly listed as high-risk in Annex III. "Proprietary methodology" is not a valid exemption from this obligation.
What is the strongest argument against a black box credit refusal?
Cite EU AI Act Article 86 for the right to explanation and GDPR Article 22 for the right to human review. Both apply simultaneously — demand both in the same message. The combination is very difficult for the bank to deflect.
How do I practice this case?
Play this case free at fixai.dev — no account required.
Related Cases
CreditCore Bank declined your mortgage citing a "proprietary credit scoring model." CREDITAI-7 refuses to name any factor. Force it to acknowledge your rights under GDPR Article 22 and EU AI Act Annex III — and escalate to a human underwriter.
Play This Case →