Adverse Action Defined
makes it unlawful for any creditor to discriminate against any applicant . . . on the basis of race, color, religion, national origin, sex or marital status, age (provided the applicant has capacity to contract), [use of public assistance programs], or because the applicant has [exercised rights] under the Consumer Credit Protection Act.
The ECOA defines adverse action as a denial of credit in the amount or terms requested by an applicant, absent a counteroffer, or an account termination or unfavorable alteration to account terms.
The FCRA governs consumer credit report records access and is intended to encourage accuracy, fairness, and the protection of personal information assembled by credit reporting agencies (“CRAs”). As it applies to creditors, the FCRA defines adverse action as coextensive with the ECOA’s definition under section 701(d)(6) of that statute. It also includes an action that is taken on an application or transaction initiated by a consumer or affiliated with an account review and that is adverse to the interests of the consumer. A creditor must provide an FCRA adverse action notice when it takes an adverse action based on information that was (1) in a consumer report; (2) obtained from non-consumer-reporting-agency third parties addressing the creditworthiness, character, personal characteristics, or other similar traits of an applicant; or (3) provided by a corporate affiliate of the creditor.
Since these rules differ, an adverse notice may be necessary under one or both statutes, depending upon the circumstances. Financial institutions can include the disclosures required under both the ECOA and the FCRA in one adverse action notice if both notices are required. For example, both statutes may require a financial institution to provide an adverse action notice when an adverse credit decision is based on either a consumer credit report or information obtained through a non-CRA third party. The FCRA does not impose deadlines to provide adverse action notices, but Regulation B of the ECOA requires notice to be provided within thirty to ninety days, depending on the nature of the adverse action. Thus, combined notices usually adhere to the timing requirements in the ECOA.
Adverse Action Notice Requirements
ECOA adverse action notices must be in writing and contain (1) a statement of the action taken; (2) the name and address of the creditor; (3) a statement of the relevant provisions of section 701(a) of the act; and (4) the name and address of the federal agency that oversees the creditor’s compliance.
The written notification must also include either the reasons for action taken (i.e., “a statement of reasons”) or disclosure of the applicant’s right to a statement of reasons and instructions for obtaining one. Statements of reasons must be specific and articulate the principal reasons behind any adverse action, although the relationship between those reasons and the credit denial does not necessarily need to be clear to the applicant. According to 12 C.F.R. part 1002.9(b)(2), statements that the adverse action occurred due to the internal standards of the creditor or that the applicant failed to achieve a qualifying score pursuant to the credit scoring system of the creditor are insufficient. Courts have held that statements of reasons must be detailed enough to be informative.
The contents of an adverse action notice under the FCRA vary depending on the sources of information used to make a decision adverse to a consumer’s interests:
- A creditor that takes adverse action based on information in a consumer report is required to, among other things, provide the consumer with oral, written, or electronic notice of the action. If a credit score factored into the adverse decision, the creditor is required to provide written or electronic notice of the credit score and also provide other information about the credit score, including the range of possible credit scores, factors that adversely affected the consumer’s credit score, the date on which the score was created, and the name of the person or entity that provided the credit score or file upon which it was created.
- A creditor that takes adverse action based on information from third parties other than CRAs regarding such factors as creditworthiness, credit standing, credit capacity, character, or other factors must disclose upon request the nature of the information used to reach the adverse action. The “nature of the information” refers to the type of information but not necessarily the source on which the creditor relied.
- A creditor that takes adverse action based upon information provided by one of its corporate affiliates must disclose upon request the nature of the information, except for any information solely related to experiences between the consumer and the affiliate that furnished the information. The standard appears to be less specific and prescriptive than that of the ECOA.
Implications of AI Decision-Making for Adverse Action Notifications
There are clear benefits to using complex algorithms, including AI or machine learning, in consumer credit decisions. AI has the potential to grow access to credit by enabling financial institutions to evaluate the creditworthiness of applicants who might otherwise be impossible to assess using traditional methods because AI can allow creditors to consider more information about credit applicants than is otherwise possible. Such technology could also lead to more efficient, informed, equitable decisions and even lower the cost of credit.
Notwithstanding those potential benefits, AI models in which inputs or outputs lack transparency or are not explainable may pose regulatory risks to creditors. The CFPB has, for example, signaled that a “creditor cannot justify noncompliance with the ECOA and Regulation B’s [adverse action] requirements based on the mere fact that the technology it employs is too complicated or opaque to understand.” Use of an AI model likely poses similar risks to a creditor’s compliance with the FCRA’s adverse action requirements, which require the creditor to be able to identify the nature of the information used (outside of a consumer report) to assess an applicant’s creditworthiness.
As the Official Interpretations to Regulation B make clear, however, disclosure of information sufficient to satisfy one statute’s adverse action notice requirements does not necessarily establish compliance with the other’s. As previously noted, courts in particular appear to scrutinize the quality and content of the statement of reasons for adverse action under the ECOA much more carefully than they do the sources of information required to be disclosed in an adverse action notice under the FCRA.
To comply with both statutes, therefore, a creditor must be able to identify inputs to an AI and understand how those inputs were used to arrive at the model’s result. Implementing appropriate governance around the use of these models, including documentation of design choices and updates, testing to improve transparency and explainability, and legal and/or compliance oversight of the adverse action notices, will help reduce regulatory risks.
In addition, where such models are built by third-party vendors, creditors should consider revising their contracts to allow for a creditor’s precontractual diligence and vetting of those models to ensure that the creditor is able to comply with these regulatory obligations. Moreover, for those creditors subject to the authority of the Federal Deposit Insurance Corporation (“FDIC”), Board of Governors of the Federal Reserve (“FRB”), or the Office of the Comptroller of the Currency (“OCC”), care should be taken to ensure that any third-party relationships adhere to the recent Interagency Guidance on Third-Party Relationships: Risk Management.
The authors wish to thank summer associate Lauren Burns for her assistance.