As technology continues to advance, regulators are increasingly addressing the fair lending implications of artificial intelligence (AI),1 even though comprehensive rules governing AI have yet to be promulgated. Notably, the Consumer Financial Protection Bureau (CFPB) has indicated that it will use adverse action notification requirements under the Equal Credit Opportunity Act (ECOA) as a tool to increase lender transparency about AI.
Below we summarize ECOA adverse action notification requirements, discuss recent CFPB publications on the topic and identify steps that lenders may wish to consider in order to assess and mitigate risk.
Adverse Action Notification Requirements and Enforcement
Regulation B, which implements ECOA, requires creditors to provide written notification when taking “adverse action” against a consumer, including declining an application for credit, making an adverse change to the terms and conditions of an account or denying a request to increase a credit limit.2 The adverse action notification provided to consumers must include a “statement of specific reasons for the action taken.”3 For example, the notification might state that a loan application was declined due to “Income insufficient for amount of credit requested,” “Limited credit experience,” or “Value or type of collateral not sufficient” according to model adverse action forms issued by the bureau.4
A creditor must disclose the “principal reasons” for denying an application or taking other adverse action.5 While the regulation does not provide a specific number of reasons that must be disclosed, the official staff commentary to Regulation B states that “disclosure of more than four reasons is not likely to be helpful to the applicant.”6 The staff commentary also provides some guidance as to how creditors can select the principal reasons to disclose when the adverse action is based on “credit scoring.”7 Notably, however, this staff commentary has not changed materially in more than 20 years, with no updates to account for advances in technology and the proliferation of AI models.
CFPB Circular 2023-03
On September 19, 2023, the CFPB issued a circular, “Adverse Action Notification Requirements and the Proper Use of the CFPB’s Sample Forms Provided in Regulation B.” The circular reminds creditors that they must provide accurate and specific reasons to consumers indicating why their loan applications were denied, including in circumstances where the creditor uses AI models.
The circular is among the latest in a series of actions by the CFPB relating to adverse action notification requirements, including a previous circular in 2022 stating that creditors must comply with ECOA and Regulation B adverse action requirements even when complex algorithms “make it difficult — if not impossible — to accurately identify the specific reasons for denying credit or taking other adverse actions.”8 Also, in a January 2024 press release, the CFPB noted consumer complaints about prospective renters not receiving adverse action notifications required under the Fair Credit Reporting Act.9
A central focus of the circular is that creditors cannot simply use the most analogous adverse action reason on the Regulation B model adverse action forms if that reason is not accurate and specific under the circumstances:
While the sample forms provide examples of commonly considered reasons for taking adverse action, “[t]he sample forms are illustrative and may not be appropriate for all creditors.” Reliance on the checklist of reasons provided in the sample forms will satisfy a creditor’s adverse action notification requirements only if the reasons disclosed are specific and indicate the principal reason(s) for the adverse action taken.
While this language adheres closely to Regulation B, in other portions of the circular the CFPB signals that it has heightened expectations for transparency and specificity when AI models in particular are used to deny loan applications, lower credit limits or otherwise take adverse action. For example, the circular states that “if a complex algorithm results in a denial of a credit application due to an applicant’s chosen profession,” a disclosure that the applicant had “insufficient projected income” or “income insufficient for amount of credit requested” would likely not suffice. In addition, the circular states that “even if the creditor believed that the reason for the adverse action was broadly related to future income or earning potential, providing such a reason likely would not satisfy its duty to provide the specific reason(s) for adverse action.” This statement could be viewed as an expansive interpretation, as one could reasonably argue that consumers would likely understand their occupation would be a factor in projecting their income.
The circular also states that if a creditor lowers a consumer’s credit limit or closes an account “based on behavioral data, such as the type of establishment at which a consumer shops or the type of goods purchased, it would likely be insufficient for the creditor to simply state ‘purchasing history’ or ‘disfavored business patronage’ as the principal reason for adverse action.” The circular further provides that the creditor “would likely need to disclose more specific details about the consumer’s purchasing history or patronage that led to the reduction or closure, such as the type of establishment, the location of the business, the type of goods purchased, or other relevant considerations, as appropriate.”
This level of specificity in an adverse action reason appears to be higher than has been required under the CFPB’s model forms. None of the reasons on the model adverse action forms require information as specific as “the location of the business.” Rather, the reasons in the model adverse action form, such as “Your Credit History … of making payments on time was not satisfactory,”10 do not require transaction-specific data.
The circular also suggests that the CFPB will use adverse action requirements to increase scrutiny of nontraditional data elements in AI models, particularly those based on “consumer surveillance.” In this regard, the circular states:
Some creditors use complex algorithms involving “artificial intelligence” and other predictive decision-making technologies in their underwriting models. These complex algorithms sometimes rely on data that are harvested from consumer surveillance or data not typically found in a consumer’s credit file or credit application. The CFPB has underscored the harm that can result from consumer surveillance and the risk to consumers that these data may pose. Some of these data may not intuitively relate to the likelihood that a consumer will repay a loan. The CFPB and the prudential regulators have previously noted that these data may create additional consumer protection risk.
. . .
Specificity is particularly important when creditors utilize complex algorithms. Consumers may not anticipate that certain data gathered outside of their application or credit file and fed into an algorithmic decision-making model may be a principal reason in a credit decision, particularly if the data are not intuitively related to their finances or financial capacity.
These broad statements, including the reference to “harm that can result from consumer surveillance and the risk to consumers,” suggest that the CFPB is concerned not only about the clarity of adverse action statements, but also substantive issues such as discrimination implications and unfair, deceptive and abusive acts and practices risk. As such, lenders may wish to reconsider their existing or potential future use of certain variables in light of increased burden, reputational concerns or proprietary business considerations that may be implicated by providing more specific adverse action reasons.
The circular indicates that:
- The CFPB is closely scrutinizing creditor compliance with adverse action notification obligations.
- Nontraditional factors used in AI models present elevated adverse action and other risks insofar as the variables do not conform to consumer “expectations” about traditional credit underwriting criteria.
Creditors using any type of model, including those driven by AI, for fraud detection, underwriting, credit limits and other purposes should consider undertaking a review of their adverse action notification processes.
- Such steps could include carefully vetting AI models before use to assess model “explainability” and the model’s capability of accurately identifying the principal reasons for outcomes.
- Creditors may also wish to map the factors used in models to corresponding adverse action reasons and assess whether those reasons are sufficiently specific to satisfy the standards articulated in Regulation B and CFPB Circular 2023-03.
- In addition, the CFPB’s comments in the circular about nontraditional data risks underscore the importance of fair lending testing, documenting business justifications for the use of models and the factors therein, and considering alternatives for model factors harvested from consumer surveillance and those not typically found in a consumer’s credit file or credit application.
Finally, we note that, given the evolving nature of AI and its use in the financial services industry, regulatory guidance in this area will likely continue to develop.
1 See, e.g., Board of Governors of the Federal Reserve System, et al., Request for Information and Comment on Financial Institutions’ Use of Artificial Intelligence, Including Machine Learning, 86 Fed. Reg. 16,837 (March 31, 2021); Ken D. Kumayama, Stuart D. Levi and Resa K. Schlossberg, “SEC Proposes New Conflicts of Interest Rule for Use of AI by Broker-Dealers and Investment Advisers” (Aug. 10, 2023).
2 12 C.F.R. §§ 1002.2(c), 1002.9.
3 12 C.F.R. § 1002.9(a)(2)(i).
4 12 C.F.R. Part 1002, Appendix C, Form C-1.
5 12 C.F.R. Part 1002, Supplement I, ¶ 9(b)(2), Comment 1.
7 Id. at Comments 4-7.
8 CFPB, Consumer Financial Protection Circular 2022-03 “Adverse Action Notification Requirements in Connection With Credit Decisions Based on Complex Algorithms” (May 26, 2022).
9 CFPB press release “CFPB Addresses Inaccurate Background Check Reports and Sloppy Credit File Sharing Practices” (Jan. 11, 2024).
10 See 12 C.F.R. Part 1002, Appendix C, Form C-2.
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.