The financial sector was one of the first to apply statistical models to decision-making, long before anyone spoke of artificial intelligence. The scoring card developed in the 1950s was already pursuing the same goal that a machine learning model pursues today: estimating the probability that an applicant will not repay a loan. What has changed is the power of the methods, the volume of available data, and — above all — the regulatory requirements around how those decisions are explained and supervised.
This article focuses on two applications where AI delivers measurable value in banking and lending: credit risk — deciding to whom to lend and on what terms — and financial fraud detection. Both share an awkward characteristic: they work with severely imbalanced data, because the vast majority of customers repay and the vast majority of transactions are legitimate.
Credit scoring and default prediction
The objective of credit scoring is to estimate the probability of default (PD) of an applicant over a defined time horizon, typically twelve months. The definition of "default" is not trivial: the Basel prudential framework and European Banking Authority guidelines set default at ninety days of arrears or at unlikeliness to pay. The model is trained on that label.
For decades the standard was logistic regression, valued for its transparency: each variable has an interpretable coefficient and the output is a probability between 0 and 1. Today it coexists with gradient boosting models such as XGBoost or LightGBM, which capture non-linear interactions and generally improve discriminant power. That improvement comes at a cost: these are more opaque models. In consumer credit, transparency is therefore not optional, and explainability techniques such as SHAP values (Shapley Additive Explanations) make it possible to decompose each individual decision into the contribution of each variable — a requirement that is practically indispensable for justifying a rejection to the customer and to the regulator.
In retail banking, there is also a highly useful intermediate tool: the scorecard built on logistic regression with variables transformed using weight of evidence (WoE). The technique discretises each continuous variable into bands and replaces each band with a value measuring its predictive power, which offers two advantages: it linearises the relationship with risk and produces a scoring card that a risk analyst can read and interpret band by band. That interpretability explains why, despite the emergence of more powerful models, many institutions retain regression-based scorecards in their lending decisions: the discrimination improvement over a boosting model may be small, while the difference in defensibility before the regulator is substantial. The balance between predictive power and transparency is, in credit, a governance decision as much as a technical one.
Metrics that actually matter
Measuring a risk model by accuracy is a classic error: if only 3% of loans default, a model that approves everyone achieves 97% accuracy and is useless. The correct metrics are different. AUC-ROC measures the ability to rank good and bad payers; in banking, the closely related Gini coefficient is frequently used (Gini = 2·AUC − 1), where values above 0.4 are generally considered acceptable in retail portfolios. The Kolmogorov-Smirnov (KS) statistic measures the maximum separation between the distributions of good and bad payers. And above all stands the cost matrix: approving a defaulter (false negative) and rejecting a good payer (false positive) have very different economic costs, and the cut-off threshold must be set by optimising that cost, not accuracy.
Financial fraud detection
Transactional fraud presents a classification problem that is severely imbalanced — fractions of a percentage point — and also adversarial: fraudsters adapt their behaviour to evade detection rules. Against traditional rule-based systems ("block if amount exceeds X"), current models combine two families. Supervised models learn from labelled historical fraud cases; unsupervised models, such as Isolation Forest or autoencoders, detect deviations from normal behaviour without requiring prior examples, which allows novel fraud patterns to be caught. Graph analysis adds a powerful layer by modelling relationships between accounts, devices and beneficiaries, uncovering money mule networks that transaction-by-transaction analysis would miss. To address class imbalance, resampling techniques such as SMOTE generate synthetic examples of the minority class during training.
A decisive factor in fraud that does not apply in credit is latency. The decision to approve or block a card transaction must be made within milliseconds, while the customer waits at the payment terminal. That constraint shapes the engineering: the model is served in real time, features are computed on the fly from a recent history (the customer's average transaction amount, frequency of operations, geographic distance from the previous purchase) and the system must degrade gracefully when a data source fails to respond in time. That is why two layers coexist: a real-time scoring layer that is fast and conservative, and a deferred analysis layer that is more thorough, reviewing patterns after the fact and feeding investigations. The cost of a false positive here is tangible: blocking a legitimate purchase from a good customer damages the relationship just as much as allowing a fraud damages the profit and loss account, and the threshold must be calibrated with that tension in mind.
The model lifecycle: from development to monitoring
A risk model does not end when it achieves good performance in validation; that is where its operational life begins. The development phase defines the target variable, builds the dataset while respecting temporal ordering and selects the algorithm. The independent validation phase, required by model risk management practices, subjects the model to backtesting on unseen data and to stress tests that simulate adverse scenarios — a recession, a rate rise. The production phase deploys the model with version control and traceability of every decision. And the monitoring phase — the most neglected and the most critical — watches for two types of drift: model drift (its predictive power erodes) and population drift (today's applicants are not the same as those of two years ago). The population stability index quantifies the second type; when it exceeds the alert threshold, the model must be recalibrated or retrained before the deterioration feeds through to portfolio delinquency.
Implementation steps and model governance
- Define the target variable rigorously. Agree on the definition of default or fraud according to the applicable regulatory framework before touching a single data point.
- Build the dataset with a temporal window. Separate training, validation and test sets while respecting chronological order to avoid data leakage from the future.
- Check for bias. Verify that the model does not discriminate on the basis of protected characteristics or their proxies (postcode as a proxy for origin, for example).
- Validate independently. A team separate from those who built the model subjects it to backtesting and stress tests, in line with the supervisor's model risk management guidelines.
- Monitor for drift. Track the population stability index to detect when the applicant population changes and the model ceases to be valid.
Applicable regulatory framework
In the European Union, the AI Regulation (Regulation EU 2024/1689, the AI Act) classifies as a high-risk system the assessment of creditworthiness and the credit scoring of natural persons, imposing obligations on risk management, technical documentation, human oversight and traceability. Added to this is Article 22 of the GDPR, which grants the data subject the right not to be subject to decisions based solely on automated processing that produce significant legal effects, and to obtain human intervention and an explanation. The EU and national data protection authorities have published specific guidance on these requirements. Ignoring this framework is not merely a reputational risk: it is a direct regulatory sanction risk.
Model comparison for credit risk
| Model | Predictive power | Interpretability | Regulatory fit |
|---|---|---|---|
| Logistic regression | Medium | High | Excellent |
| Decision trees | Medium | High | Good |
| Gradient boosting (XGBoost) | High | Low (mitigable with SHAP) | Acceptable with explainability |
| Neural networks | High | Very low | Difficult to justify |
Frequently asked questions
Can an institution deny credit based solely on an algorithm? Article 22 of the GDPR requires that human intervention and an explanation be offered when an automated decision produces significant effects. In practice, the model makes a recommendation and a person can review borderline cases.
Why not always use the most accurate model? Because in finance, accuracy without explainability is not regulatorily admissible, and a marginal gain in discrimination does not compensate for the inability to justify a rejection to the supervisor or the customer.
How is model bias prevented? By excluding protected characteristics, auditing their indirect proxies and measuring fairness metrics across demographic groups. The absence of the variable does not guarantee the absence of bias if another variable represents it indirectly.
How often should a scoring model be retrained? There is no fixed period; it depends on population drift. Continuous monitoring of the population stability index indicates when reality has diverged from training data and recalibration is warranted.
At Summum Inteligencia Artificial we hold that in finance the best modelling decision is rarely the most sophisticated one, but the one that balances predictive power, explainability and regulatory fit. A credit risk or fraud detection system only delivers value if the institution can defend every decision to the customer, the auditor and the regulator. The competitive frontier no longer lies in having the most powerful algorithm but in governing it: documenting it, monitoring its drift and keeping a human as the ultimate control instance. That discipline is what separates a model that generates sustainable business from one that silently accumulates liabilities until the portfolio deteriorates or the regulator comes calling.