How did your team handle GDPR Art. 22 compliance for an ML-based fraud scoring pipeline?

We operate a fraud detection pipeline that scores transaction risk using a gradient-boosted model. Scores above a threshold trigger automatic holds — technically automated individual decision-making under GDPR Article 22. We've implemented the following measures but I'm curious what others have done: 1. **Human review layer**: Scores in the 'grey zone' (0.4–0.7) are routed to a human reviewer within 2 hours. Only scores >0.7 trigger immediate holds. Is this sufficient to argue that the decision isn't 'solely automated'? 2. **Right to explanation**: We generate feature importance summaries (SHAP values) for each scored transaction. Affected users can request this via a self-service portal. Has any DPA commented on the adequacy of SHAP-based explanations? 3. **Model governance**: We retrain quarterly and run fairness checks across customer segments. But the regulatory landscape is shifting with the EU AI Act classifying some fraud systems as high-risk. Are you treating your fraud pipeline as high-risk under the AI Act, or does the financial services carve-out apply? Jurisdiction: DE/EU. Would appreciate peer experiences — not seeking legal advice, just exchange on what has worked in practice during actual DPA audits. Framework references: GDPR Art. 22, EU AI Act Annex III, BAIT/VAIT for German institutions.