A European Challenger Bank Just Asked Whether Redistributing a Third-Party AI Fraud Model Makes You a Distributor Under Article 32 of the EU AI Act: Here's How to Answer

Your enterprise account manager sent over a new question from a European challenger bank mid-morning. The bank is in final stages of evaluating your payment fraud detection platform — which runs on a third-party AI model from a US machine learning provider — and their procurement team has flagged this question as a blocker:

"Your fraud detection service appears to embed a third-party AI model that was developed by another company. Under Article 32 of the EU AI Act, does this make your company a distributor of that AI system? If so, what obligations have you fulfilled, and what documentation can you provide?"

This question is becoming more common as enterprise financial services customers grow more sophisticated about EU AI Act supply chain rules. Here is what Article 32 requires, why banks are asking this, and how to construct a clear answer.

What Article 32 Requires

Article 32 of the EU AI Act sets out obligations for distributors — entities in the supply chain, other than the provider or importer, that make a high-risk AI system available on the EU market without modifying its intended purpose.

The key phrase is "without modifying its intended purpose." If you take a third-party AI model, wrap it in your own product with your own API, rebrand it, and sell it to EU customers as your fraud detection service, the classification question is whether you are:

• The provider (if you have substantially modified the system or assume responsibility for its conformity), or
• The distributor (if you are making an existing conformant system available without material modification)

Under Article 32, before making a high-risk AI system available a distributor must verify that:

• The system bears the CE marking
• The system is accompanied by the required documentation and instructions for use
• The provider and importer (where applicable) have complied with their obligations under Articles 16 and 31

Distributors must also cooperate with competent authorities, provide information and documentation upon request to demonstrate conformity, and take corrective action if they have reason to believe a system is not in conformity — up to and including withdrawing or recalling it from the market.

Why Challenger Banks Ask This Question

A challenger bank deploying an AI fraud detection system in the EU has a direct exposure to PSD2 enforcement, EBA guidelines on AI in banking, and EU AI Act high-risk classification rules. Their compliance function is asking your question because they need to understand who in the supply chain is taking on what obligation.

If your company is a distributor of the underlying AI model, the bank needs to know that the original provider has done the conformity assessment, that a CE marking exists, and that your distribution did not inadvertently break the conformity chain. If you are the provider — because you have substantially modified, retrained, or redeployed the model — then the conformity assessment obligations fall on you.

Getting this wrong has real consequences. If the bank deploys your fraud tool and a supervisory authority later determines the system was not properly placed on the EU market because the distributor did not verify conformity, the bank has deployed a non-conformant high-risk AI system. That is a regulatory finding they trace directly to their vendor due diligence process.

The Provider-vs-Distributor Question in Fraud Detection

Whether you are a provider or distributor under the EU AI Act depends on whether you have materially changed the system's intended purpose, substantially modified its characteristics, or assumed responsibility for conformity by how you sell the product.

The most common scenarios in fintech fraud detection:

You are likely a distributor if: You license the underlying model via API from a provider who maintains the model, you pass through API calls without retraining or fine-tuning, and you market the product under a co-branded or pass-through arrangement where the underlying model provider's technical documentation and conformity assessment is the governing document.

You are likely a provider if: You have retrained or fine-tuned the model on your own data or your customers' transaction data; you have changed the model's risk thresholds, feature engineering, or output classification logic in ways that affect its operational behavior; you have assumed responsibility for CE marking and draw up the EU declaration of conformity under your own company name; or your contract with the underlying model vendor does not include their conformity documentation as part of what you pass through to customers.

Most fintech companies building fraud products on top of a third-party model fall into a hybrid position — they have done some modification but may not have done a full conformity assessment. The EU AI Act does not give clean answers for hybrid cases. The safer commercial position is to assume provider obligations if you have made any meaningful modification to the model, and to get your own conformity assessment done rather than relying on an upstream vendor's documentation.

What Your Answer Must Cover

Clarify your role explicitly. State clearly whether you consider yourself the provider or distributor of the AI system under the EU AI Act definitions. Do not leave this ambiguous — the bank's compliance team needs a definitive answer to proceed.

If you are a distributor: Name the provider and importer of the underlying AI system. Confirm that the system bears CE marking. Confirm that you have verified the provider's and importer's compliance with Articles 16 and 31 before making the system available to EU customers. Explain what documentation you hold and what you can provide under NDA.

If you are a provider: Confirm you have drawn up the EU declaration of conformity under your company name. Describe the conformity assessment procedure you followed. State whether the system is CE marked and registered in the EU AI Act database under Article 71.

If you are in a hybrid or unclear position: Be honest about it. Say you are reviewing your classification with EU legal counsel, provide your expected resolution timeline, and commit to providing a definitive written position before the bank's go-live date.

The Short Answer for the Questionnaire

A direct answer for a distributor scenario looks like this:

"We distribute the [Name] AI model developed and CE marked by [Provider Name], an EU-established provider. Before making this system available to EU customers, we verified that it bears the CE marking, is accompanied by the required technical documentation and instructions for use, and that the provider has fulfilled its obligations under Article 16 of the EU AI Act. We hold copies of the EU declaration of conformity and can provide these under NDA. If the provider's conformity status changes, our distribution agreement requires them to notify us and we will inform affected deployers."

A direct answer for a provider scenario looks like this:

"We are the provider of this AI system under the EU AI Act. We have drawn up the EU declaration of conformity under our company name, completed the applicable conformity assessment, and the system is CE marked. Technical documentation under Annex IV is available for review."

What to Review Before Your Next Financial Services RFP

If your fraud detection product runs on a third-party model and you have not yet determined whether you are a provider or distributor under the EU AI Act, that determination should happen before your next RFP lands — not while a compliance officer at a challenger bank is waiting for an answer. The supply chain question will come up in every enterprise financial services deal in the EU from this point forward.

Try Complizo free at complizo.com