A European Payments Platform Just Asked for Your AI Anti-Money-Laundering Tool's EU Declaration of Conformity: Answering the Article 18 Documentation Questions
A European payments platform just sent your team a procurement questionnaire before signing an enterprise deal. Under the section titled "Regulatory Documentation," you see: "Can you provide a copy of the EU Declaration of Conformity for your AI anti-money-laundering tool? If not yet issued, what is your timeline and current conformity status?"
This is one of the most precise questions a FinTech procurement team can ask. It tells you the reviewer knows EU AI Act mechanics, not just buzzwords. Here is how to answer it accurately — and what to do if your declaration does not exist yet.
What Is an EU Declaration of Conformity?
Under Article 18 of the EU AI Act, providers of high-risk AI systems are required to draw up an EU Declaration of Conformity before placing their system on the market. The declaration is a formal, signed document in which the provider states that the AI system complies with all applicable requirements of the EU AI Act. It is not a third-party certification — it is a self-declaration, analogous to a CE marking Declaration of Conformity under other EU product law.
Article 18(2) specifies the content the declaration must contain. At minimum it must include: the name and address of the provider, a clear identification of the AI system (name, version, intended purpose), a statement that the AI system is in conformity with the applicable requirements of the EU AI Act, references to any harmonised standards applied, identification of any notified body involved in the conformity assessment (if applicable for the highest-risk categories), and the name and signature of the person authorised to sign on behalf of the provider, with date and place.
Is an AI AML Tool High-Risk Under the EU AI Act?
Yes, in most configurations. Annex III Category 5(b) covers AI systems used to evaluate the creditworthiness of natural persons or assess credit risk, and Category 5(d) covers AI systems used to evaluate risk and pricing in life and health insurance. More directly relevant is Category 6, which covers AI systems used in the context of law enforcement, border control, and administration of justice. For AML tools used by regulated financial institutions to flag suspicious activity that may lead to regulatory reporting obligations or account restrictions affecting individuals, there is a strong argument that the system is high-risk under Annex III.
Even where a strict reading of Annex III is uncertain, most European FinTech procurement teams will treat an AML tool as requiring full high-risk conformity. Assume high-risk applies and answer accordingly.
How to Answer the Article 18 Declaration Questions
"Can you provide a copy of the EU Declaration of Conformity?"
If you have one, attach it. The declaration should be a standalone document, not buried inside a technical file. It should be dated, signed, and version-matched to the specific product iteration you are selling.
If you do not yet have a formal declaration, do not pretend you do. The honest answer is: "Our EU Declaration of Conformity for [Product Name] version [X] is currently being finalised as part of our EU AI Act conformity process. We expect to issue it by [date]. In the interim, we can provide our draft declaration, our Article 9 risk management documentation, and our technical file index, which together evidence our conformity status at this stage."
Procurement teams understand that EU AI Act compliance is a phased rollout for most vendors. What they cannot forgive is being misled about documentation that does not exist.
"What harmonised standards does your declaration reference?"
This is a technically precise question. As of 2026, the European Commission has not yet published a comprehensive list of harmonised standards for the EU AI Act (the standardisation mandate under CEN/CENELEC is ongoing). Your answer should be accurate: "Our conformity assessment references ISO/IEC 42001:2023 (AI Management Systems) and ISO/IEC 23894:2023 (AI Risk Management), applied as a proxy framework pending the publication of harmonised standards under the EU AI Act. We will update the declaration to reference applicable harmonised standards as they are formally adopted."
Do not claim compliance with standards that have not yet been formally harmonised under the EU AI Act. This is a common error in early compliance documentation that creates legal exposure.
"Was a notified body involved in your conformity assessment?"
For most high-risk AI systems, the conformity assessment can be carried out as a self-assessment by the provider (under Article 43(1)). Involvement of a notified body is only mandatory for AI systems used in certain safety-critical categories — specifically those where no harmonised standards exist and the AI system is intended to be used as a safety component of products covered by specific EU product legislation.
For an AML tool, notified body involvement is typically not required. Your answer: "Our conformity assessment was conducted as a provider self-assessment under Article 43(1) of the EU AI Act. No notified body involvement was required for this system category. Our internal assessment was reviewed by external legal counsel specialising in EU AI Act compliance."
"When was the declaration drawn up, and does it cover the current product version?"
Declarations of Conformity are version-specific. If you update the model materially — for example, retraining on new data that changes the system's performance characteristics in ways that could affect its risk profile — you need to assess whether a new or amended declaration is required. Your procurement answer should state your change management policy: "We maintain version control for our Declaration of Conformity. Material changes to the system that affect its conformity status trigger a review and, where necessary, an updated declaration. The declaration you receive will correspond to the specific version included in your contract."
Why This Question Is Being Asked More Often
The EU AI Act's enforcement deadline (August 2, 2026) means that regulated financial institutions under EBA, ESMA, and ECB supervision are now actively requiring evidence of supplier AI compliance in their third-party risk management frameworks. A Declaration of Conformity is a named deliverable in several draft EBA guidelines on AI use in financial services. Procurement teams are asking for it because their own regulators are starting to ask them whether they have it.
For FinTech AI vendors, this means the Declaration of Conformity has moved from a compliance formality to a commercial prerequisite. Get it issued, version it properly, and store it somewhere you can attach it to a questionnaire response in under five minutes.
Try Complizo free at complizo.com