An AI chatbot for banks answers recurring customer questions 24/7, relieves the burden on service, and complies with the requirements of GDPR, the EU AI Act, and financial regulation. For banks, both matter: a noticeably better customer service and an architecture that withstands regulation. This guide shows the most important use cases, regulatory obligations, and criteria for choosing a provider.
At a glance
24/7: Standard inquiries such as onboarding, access data, or product information are automated, even outside of service hours.
Data processing exclusively in the EU, with no third-country transfer.
Traceable answers from verified sources, with controlled handovers to employees.
No automated credit decisions by the bot; such cases belong to a human.
Regulatory framework: GDPR, EU AI Act, MaRisk outsourcing, and DORA.
Proven in use at Volkswagen Bank.
Why banks rely on Conversational AI
Bank customers expect answers immediately and at any time of day. A large portion of inquiries in direct banking is repetitive: initial login to online banking, questions about access data and PhotoTAN, card issues, product terms, or the status of an inquiry. These topics tie up service capacity without requiring individual advice.
An AI chatbot takes over exactly these recurring cases. This lowers the cost per contact, shortens waiting times, and keeps telephone and written service free for cases that need real advice. Studies show that employees spend a significant amount of their time just searching for information. Depending on the subject area, up to 90 percent of standard inquiries can be answered automatically.
The most important use cases in banking
Onboarding and initial login: Step-by-step help with the first login to online banking and setting up the PhotoTAN.
Access and security: Answers to locked access, password resets, and security procedures without collecting sensitive data in an uncontrolled manner.
Product and term inquiries: Information on accounts, loans, cards, and interest rates based on released product information.
Status inquiries: Information on the status of an inquiry or process via integration with backend systems.
Handover to advisory service: For complex or regulatorily sensitive topics, the bot hands over to an employee in the Agent Desk with the full conversation history.
The limit of the use case is crucial. A service chatbot answers questions and routes them. It does not make creditworthiness or lending decisions about a person, as such decisions are subject to stricter requirements.
Compliance is the entry ticket in banking
In no industry does regulation weigh heavier than in the financial sector. A banking chatbot must meet four levels:
GDPR: Legal basis, data minimization, order processing, and data subject rights. The basics are summarized in the article on the GDPR and EU AI Act-compliant AI chatbot.
EU AI Act: Transparency obligation under Art. 50 so that customers recognize the use of AI. Service chatbots are usually not high-risk systems, whereas automated creditworthiness decisions are. The operator determines the purpose.
MaRisk and BAIT: The use of an external platform is an outsourcing. It must fit into the bank's outsourcing management, with clear responsibilities, control rights, and traceability.
DORA: The Digital Operational Resilience Act treats the provider as an ICT third-party service provider. This requires resilient operations, documented processes, and support with incident reporting, among other things.
The data storage location is often a knock-out criterion. Processing outside the EU is vulnerable under data protection law and is rarely permitted in tenders of regulated institutions. Why this is so is explained in the article on chatbot hosting in Germany.
What banks should consider when choosing a provider
Processing location and data flows: Is all data processed exclusively in the EU, including the language model?
Order processing: How short and EU-centric is the list of sub-processors?
Traceability: Can every answer be traced back to its source?
Audit and control: Is there complete audit logging, separation of roles, and regular penetration testing?
Escalation: How reliably does the bot hand over to a human when a case exceeds its limits?
Documentation: Does the provider deliver the documents for DPAs, DPIAs, outsourcing, and EU AI Act compliance evidence?
How Mercury.ai implements this in banking
Mercury.ai is the conversational AI platform from Germany, designed for regulated industries:
Hosting exclusively in Germany (AWS Frankfurt), without third-country transfer, with encryption in transit and at rest.
Single sub-processor, simplifying outsourcing and DPA management.
European, self-hosted models without API calls to external providers.
Hybrid AI on verified knowledge: Answers are generated from the bank's approved sources. The risk of hallucination is significantly reduced; every answer remains traceable back to the source. The technology behind this is described in Mercury Intelligence.
Operational security: Tenant separation, two-factor authentication, complete audit logging, and regular penetration tests. The data centers used are ISO 27001 certified; Mercury.ai aligns with ISO 27001.
“Implementation on the websites is straightforward and does not require extensive technical expertise.”
Mario Prüßner, Volkswagen Bank GmbH

Volkswagen Bank: Conversational Banking in practice
The Volkswagen Bank uses Mercury.ai in customer service and automates a variety of recurring inquiries around the clock, such as online banking first login, PhotoTAN, and access data. The business case is positive; customer satisfaction is rising because answers are available at any time. The example shows that automation and regulatory diligence can be implemented together in banking.
Frequently Asked Questions (FAQ)
Is an AI chatbot for banks GDPR-compliant?
That depends on the architecture. A chatbot is compliant if it processes personal data on a legal basis and exclusively in the EU, includes a data processing agreement, does not use data to train external models, and informs customers transparently about the use of AI.
Which tasks should a banking chatbot not take over?
Automated decisions regarding creditworthiness or other high-stakes individual decisions should not be left solely to a bot. Such cases are regulatorily sensitive and should be handed over to employees.
How does a chatbot provider fit into MaRisk and DORA?
The use of an external platform is an outsourcing and an ICT third-party service provider relationship. The provider should offer the necessary control rights, evidence, and resilient operations so that the bank can include them in its outsourcing and resilience management.
How long does implementation take?
Depending on the scope and integration with backend systems, an initial productive use case can be reached in just a few weeks. The knowledge base can then be expanded continuously.

Conclusion
An AI chatbot brings banks customer service that is available 24/7 and relieves the team of routine questions. For this to succeed, the solution must fit the regulation from the start: data processing in the EU, traceable answers, safe outsourcing, and a clear boundary regarding high-stakes decisions. By evaluating providers against these criteria, institutions automate service while staying compliant and secure.
Would you like to know how conversational banking looks for your institution? Talk to us or download the EU AI Act security paper.
About the author: Mirco Schmidt is CRO at Mercury.ai. He has more than ten years of experience in international and leadership positions, including at the Volkswagen Group, Club Med, and EQS Group, and holds a degree in Marketing Management from the FH des Mittelstands in Bielefeld. His areas of expertise are project management, marketing, sales, and communication.






