A European Bank Just Asked Whether You Count as a Distributor of the AI Model Powering Your Fraud Detection Tool Under Article 32: How to Answer

The questionnaire from a European bank's procurement team has a section you weren't expecting: "Does your company act as a distributor of any third-party AI system or model incorporated into this product? If so, please describe how you fulfil your Article 32 obligations under the EU AI Act."

This question trips up a lot of B2B SaaS companies, especially those building on top of third-party AI models or APIs. Here's what Article 32 actually requires and how to write a clean answer.

What Article 32 actually requires

Article 32 of the EU AI Act defines a distributor as any person in the supply chain, other than the provider or importer, that makes a high-risk AI system available on the EU market without modifying the system. The key word is without modifying. If you take a third-party AI model, wrap it in your own application, add your own logic, fine-tune it, or embed it as a component, you are almost certainly acting as a provider of the resulting system — not a distributor.

A distributor under Article 32 must:

• Verify that the system bears the CE marking (where required) and is accompanied by documentation and instructions for use
• Verify that the provider and importer have fulfilled their obligations under the Act
• Not make the system available if they have reason to believe it does not conform
• Cooperate with competent authorities on request

Critically: if a distributor modifies a high-risk AI system in a way that affects its compliance, or makes it available under their own name or trademark, that distributor assumes the obligations of the provider.

How to answer the questionnaire question

For most B2B SaaS fraud detection products, the honest answer is: "We are not a distributor. We build and deploy our own AI system using [foundation model / third-party API] as a component. As the integrating provider, we hold provider obligations under the EU AI Act, including conformity assessment, technical documentation, and CE marking. We do not resell or pass through any third-party AI system without modification."

If you genuinely are distributing a third-party system without modification — for example, acting as a reseller of another vendor's AI-powered fraud tool — then describe the checks you performed: confirming CE marking, reviewing the provider's technical documentation, and verifying that the provider has completed their conformity obligations before you offered the product to customers.

Why procurement teams ask this

Banks and financial institutions under EBA and ECB outsourcing guidelines are required to map AI supply chains carefully. They need to know who bears legal responsibility for each component. Asking the Article 32 question is how they verify that neither they nor their vendor is in a legal grey zone — where a product is on the market but no one has clearly taken on provider obligations.

Answering this question clearly, without ambiguity, demonstrates that your supply chain is well-structured and that you've thought through where your obligations begin.

The faster way to handle procurement questionnaires

Supply chain questions — Article 31 importers, Article 32 distributors, Article 25 value chain responsibilities — appear together on the same page of most enterprise procurement questionnaires. If your team is spending hours researching each article to draft a response, that's time better spent closing the deal.

Complizo is built specifically to generate defensible, accurate answers to EU AI Act questionnaire questions. Describe your product, paste in the questions, and get a draft response in minutes.

Try Complizo free at complizo.com