EU AI Act Art. 5 prohibitions vs. legacy fraud detection pipelines

We're auditing an internal ML fraud scoring system that feeds into automated account suspension decisions (EU/DE jurisdiction). The pipeline was built pre-AI-Act and uses gradient-boosted trees on transaction features including behavioral proxies (login patterns, device fingerprinting velocity). Under the EU AI Act Art. 5(1)(b), systems that use 'subliminal techniques' or 'exploit vulnerabilities' are prohibited — but our system doesn't target individuals, it scores risk. The bigger concern is GDPR Art. 22: automated decisions with 'legal or similarly significant effect.' Account suspension clearly qualifies. We're planning a three-track remediation: 1. Human-in-the-loop escalation for scores above threshold (currently ~8% of flagged accounts) 2. Feature audit to remove behavioral proxies that could be construed as profiling under Art. 4(4) 3. SOC 2 Type II control mapping for the audit trail (we need to prove the HITL step actually happened, not just that it was available) Question for teams who've been through this: did your DPO require you to implement a 'right to contest' mechanism beyond the standard GDPR Art. 22(3) safeguards? We're seeing conflicting guidance on whether a 30-day window for manual review is sufficient. Also curious if anyone has mapped AI Act risk classification to existing SOC 2 CC6.1 (logical access) controls. Our Big Four auditor hasn't seen this before and is treating the AI Act as a 'new compliance domain' rather than something that layers onto existing control frameworks.