Field notes
The lettings agent's tenant scoring blind spot under the EU AI Act
18 May 2026
On this page
A letting agency I spoke to recently had switched to a "smart referencing" product eighteen months ago. The decision was made by the office manager on the basis that it was faster than the old process and the price was similar. Nobody used the phrase "AI system." Nobody discussed deployer obligations. The product has been running automated affordability scores on prospective tenants ever since.
That agency is almost certainly a deployer of a high-risk AI system under the EU AI Act. They have no logs. They have no human oversight protocol. They have never heard of Article 27.
The August 2026 deadline for Annex III obligations is not far away. And the drift into this territory has been entirely silent.
The EU AI Act came into force in August 2024. Its risk tiers are not evenly distributed. Most of the Act's weight falls on "high-risk" systems, defined in Annex III. Point 5(b) of that annex classifies AI systems used to "evaluate the creditworthiness of natural persons or establish their credit score" as high-risk.
Tenant referencing sits squarely in that territory. An AI system that takes income data, credit history, and employment status and produces a pass, fail, or tiered score for a prospective tenant is evaluating creditworthiness of a natural person. The fact that the output is labelled "referencing decision" rather than "credit score" does not change the classification.
There is a carve-out. Systems used solely to detect financial fraud are excluded from point 5(b). Fraud detection is a different function. If a referencing tool flags document tampering or identity inconsistency, that component may sit outside Annex III. But the affordability scoring component does not. A product that does both contains a high-risk module, and that is enough.
The Act also distinguishes between providers (the companies that build and place the system on the market) and deployers (organisations that use the system in a professional context). Goodlord, HomeLet, Vouch, and similar platforms are providers. The lettings agency using the platform is the deployer. The obligations are different, but deployers carry real ones.
Referencing platforms have every commercial incentive to describe their AI features in terms of speed and accuracy rather than risk classification. "Smart referencing," "instant decisions," "automated affordability checks." These phrases are not dishonest. They are just not the language of Annex III.
The result is that agencies adopt these tools through a procurement decision, not a compliance decision. The office manager comparing Goodlord against a manual process is asking: is it faster, is it cheaper, does it reduce admin? They are not asking: does this product contain an AI system that falls under Annex III point 5(b), and if so, what are my obligations as a deployer?
This is the drift. Nobody decided to deploy a high-risk AI system. The decision that was made was about referencing workflow. The regulatory classification arrived silently, bundled inside the product.
I wrote about a similar dynamic in the context of AML verification tools and the gap between policy documents and actual check logs. The pattern repeats: the tool is adopted for operational reasons, the compliance obligation is discovered later, usually under pressure.
The obligations for deployers of high-risk AI systems under the EU AI Act are not trivial. The main ones relevant to a lettings agency are:
Human oversight. Article 14 requires that high-risk AI systems be designed to allow human intervention. As a deployer, you must ensure that oversight actually happens, not just that the provider has built in a theoretical override button. If your workflow routes every referencing decision directly from the AI output to a decision communicated to the applicant, with no human review step, you are not meeting this requirement.
Logging and record-keeping. Article 12 requires that high-risk systems generate logs sufficient to allow post-hoc assessment of the system's operation. As a deployer, you need to retain those logs. If your referencing platform generates them and you never export or store them, you are not compliant.
Fundamental rights impact assessment. Article 27 requires deployers to carry out a fundamental rights impact assessment before putting a high-risk system into use, where the deployer is a body governed by public law or where the system is used to provide certain services. Private lettings agencies are not automatically caught by the public-body criterion, but the assessment is good practice regardless, and regulators are likely to treat the absence of any documented assessment as an aggravating factor.
Transparency to affected persons. Article 50 requires that natural persons subject to decisions made by high-risk AI systems be informed that AI is involved. If you are using an AI-scored referencing product and your applicant communications say nothing about this, that is a gap.
There is also a GDPR Article 22 overlap that agencies consistently miss. Automated decision-making that produces a legal or similarly significant effect on a natural person requires, among other things, that the data subject be given the right to obtain human review of the decision. A tenancy application decision is a significant effect. If the AI referencing output is the effective decision, Article 22 applies. The right to human review is not optional.
The Section 21 workflow post covers how sequencing failures in lettings compliance tend to compound. The same logic applies here. A missing log at referencing stage creates a gap that is hard to close retrospectively if a rejected applicant raises a discrimination or automated-decision complaint.
Before August 2026, every lettings agency using AI-augmented referencing should be able to answer these five questions.
deployer_assessment:
question_1:
text: "Does your referencing product produce an automated score or pass/fail output based on applicant financial data?"
if_yes: "You are likely using an Annex III point 5(b) system. Treat yourself as a deployer."
question_2:
text: "Does a human at your agency review the AI output before a decision is communicated to the applicant?"
if_no: "You have no human oversight step. This is a gap under Article 14."
question_3:
text: "Can you produce logs of individual referencing decisions, including the AI score and the data inputs, for the past 12 months?"
if_no: "You are not meeting Article 12 logging requirements. Contact your provider about log export."
question_4:
text: "Does your applicant-facing communication (portal, email, letter) mention that AI is used in the referencing process?"
if_no: "You have a transparency gap under Article 50 and potentially GDPR Article 13."
question_5:
text: "Do you have a documented process for applicants to request human review of a referencing decision?"
if_no: "You are not meeting GDPR Article 22 requirements for automated decision-making."If you answered "no" to two or more of these, you have a compliance gap that is already open. The August 2026 deadline is the point at which enforcement focus sharpens, but the obligations themselves apply now.
The practical steps are not complicated. They are just not yet on most agencies' radar.
First, contact your referencing provider and ask them directly: does your product contain an AI system that performs creditworthiness evaluation? Ask for their Annex III classification position in writing. A provider that cannot answer this question is itself a signal.
Second, map your current referencing workflow. Where does the AI output appear? Who sees it? What happens next? If the answer is "the system sends the result and we pass it on," you have no human oversight step.
Third, add a review gate. This does not have to be a lengthy manual re-check. It means a named person at the agency looks at the AI output, has the ability to override it, and the fact of that review is recorded. That record is your log.
Fourth, update your applicant communications. A single sentence in your referencing consent form and your decision communications is enough to address the transparency requirement. "This referencing process uses automated scoring. You have the right to request human review of any decision."
Fifth, document the above. A one-page internal procedure note, dated and signed, is not a full fundamental rights impact assessment. But it demonstrates that someone at the agency turned their mind to the question. That matters when a regulator or a rejected applicant starts asking questions.
The EU AI Act is not primarily a technology law. It is a process law. The agencies that will struggle with it are the ones whose processes were already opaque before the AI arrived. The agencies that will manage it are the ones that treat a referencing workflow as something that needs to be designed, documented, and reviewed, not just purchased.
If you are not sure where your current setup sits, the AI Workflow Audit is the right place to start. We map what is actually running, identify where the regulatory exposure sits, and build the process layer that the tool alone cannot provide.
- Regulation (EU) 2024/1689, Artificial Intelligence Act (full text). Article 12 (record-keeping), Article 14 (human oversight), Article 27 (fundamental rights impact assessment), Article 50 (transparency), Article 113 (entry into application), and Annex III point 5(b) (creditworthiness evaluation) cited.
- Regulation (EU) 2016/679, General Data Protection Regulation (full text). Article 13 (information to data subjects) and Article 22 (automated individual decision-making) cited.
Sources verified on 2026-05-24. This post does not constitute legal advice.