A European Neobank Just Asked Whether Your AI KYC Tool Keeps Automatic Logs Under Article 12 of the EU AI Act: Here's How to Answer

A European neobank just asked whether your AI KYC tool keeps automatic logs under Article 12 of the EU AI Act: here's how to answer

Your head of partnerships forwarded the questionnaire mid-afternoon. A neobank preparing for FCA and DNB regulatory examinations is evaluating your AI-powered KYC and customer onboarding tool. Their compliance officer has flagged one question as a blocker before they will approve the vendor onboarding:

"Does the system automatically log AI-generated outputs and relevant input data as required under Article 12 of the EU AI Act? Please describe the log retention period and format."

Article 12 is brief — four paragraphs — but it has significant operational implications for AI systems used in regulated financial services. Here is what it requires and exactly how to answer.

What Article 12 Requires

Article 12 requires that high-risk AI systems be designed and built to automatically generate logs of their operation throughout their lifetime. The logs must enable post-hoc monitoring of the system's operation and allow competent authorities, deployers, and providers to verify compliance with the requirements of Chapter III, Section 2.

Specifically, Article 12 requires that the system automatically record:

• The periods of each use of the system (start and end timestamps)
• The reference database against which input data has been checked, where applicable
• Input data that led to a given output, or at minimum a description or specification of that data
• The identity of persons involved in verification of results where human oversight mechanisms are activated

The level of detail logged must be sufficient to identify the cause of errors or unexpected outputs during the operational lifetime of the system.

Why Neobanks Ask This Question

A neobank using your KYC tool to verify customer identities and assess onboarding risk operates in a heavily supervised environment. Their regulators — the FCA in the UK, the DNB in the Netherlands, BaFin in Germany — expect to be able to audit any decision that affected a customer's access to financial services. That includes AI-assisted decisions.

When a regulator asks "show me what the system decided and why," the compliance officer reaches for the logs. If the logs do not exist, or do not contain sufficient input data and output records, the neobank has a regulatory problem — and they trace that problem back to your tool.

The compliance officer asking this question is protecting themselves before they are inside your contract. They need to know the logs are there, what they contain, and how long they are kept.

What Your Answer Must Cover

Log existence and automation. The logs must be generated automatically — not manually curated. A process where staff download and save outputs is not Article 12 compliant. Confirm that your system logs are generated in the background, continuously, without human initiation.

What the logs capture. For an AI KYC tool, Article 12-compliant logs typically include: timestamp and session identifier for each identity verification run; input data specification (document type, fields extracted, identity attributes submitted); the AI output (risk score, decision recommendation, confidence level); any watchlist or sanctions database referenced; and the identity of the human reviewer who accepted or overrode the AI recommendation where human-in-the-loop is triggered.

Log format. Describe the format: structured (JSON, XML, database rows) or unstructured (text file, PDF). Structured logs that can be queried by regulators without proprietary tooling are strongly preferred in financial services. If your logs are structured and exportable to CSV or via API, say so.

Retention period. Article 12 does not specify a minimum retention period — it requires logs to be kept for the operational lifetime of the system. However, most deployers in financial services apply sector-specific retention requirements on top. In EU financial services, AML record-keeping requirements under the 6th AML Directive typically require transaction records to be kept for five years. Your logs retention period should meet or exceed the longest applicable sectoral requirement — typically five years for a financial services deployment. State your retention period explicitly.

Deployer log access. Article 22(5) requires that providers ensure deployers have access to the logs generated by the system to the extent this is within their control. Confirm whether the neobank can access its own logs independently (via a portal, export function, or API) or whether they must request exports from you. Deployers who can access their own logs without depending on the vendor are in a stronger regulatory position.

The Short Answer for the Questionnaire

A direct, compliant answer to the question looks like this:

"Yes. Our system automatically generates structured operational logs for each KYC verification run. Logs capture: session timestamp and ID; document type and extracted identity attributes submitted for verification; AI risk score and decision recommendation; sanctions and PEP databases queried; and reviewer identity where human review is triggered. Logs are retained for [X] years, meeting applicable AML record-keeping requirements. Deployers access their own logs via [portal/API/export function]. Full log specification and a sample log schema are available under NDA."

One paragraph. It answers every sub-question in the questionnaire question and positions you as an operator that understands the regulatory environment your customers work in.

What to Review Before Your Next Financial Services Deal

If you cannot currently answer "yes, we automatically log input data, outputs, and human oversight activations for every run" — that is an Article 12 gap, not a sales problem. Enterprise financial services customers cannot sign a contract for a high-risk AI tool that does not meet the logging requirement, because their regulators will eventually ask for the logs. The time to close this gap is before the next RFP arrives, not while it is in progress.

Try Complizo free at complizo.com