chevron-down Created with Sketch Beta.

Business Law Today

November 2023

Adverse Action Notice Compliance Considerations for Creditors That Use AI

Courtney Dankworth, Avi S Gesser, Jehan Patterson, Lucy Litt, and Alexandra Mogul

Summary

  • Federal regulators have signaled that they will be scrutinizing companies that rely on artificial intelligence (“AI”), including in consumer financial services, to ensure their compliance with existing laws. 
  • The Equal Credit Opportunity Act (“ECOA”) and the Fair Credit Reporting Act (“FCRA”) each contain an adverse action notice requirement. The requirements dovetail in some respects and diverge in others, but both involve the ability to explain aspects of the basis for the action.
  • To comply with both statutes’ notice requirements, a creditor must understand both the sources of information upon which the credit decision relies and the manner in which those sources and any other factors are assessed to justify the adverse action, including when AI is used. 
  • AI models in which inputs or outputs lack transparency or are not explainable may pose regulatory risks to creditors. Where AI models are built by third parties, creditors should revise contracts to allow the creditors to vet those models to ensure that they comply with regulatory requirements.
Adverse Action Notice Compliance Considerations for Creditors That Use AI
iStock.com/Olemedia

Jump to:

Federal regulators have signaled that they will be scrutinizing companies that rely on artificial intelligence (“AI”), including in consumer financial services, to ensure their compliance with existing laws. Last year, the Consumer Financial Protection Bureau (“CFPB”) issued interpretive guidance stating that companies that rely on “complex algorithms” to make lending decisions must nonetheless adhere to the requirement of the Equal Credit Opportunity Act (“ECOA”) to provide notice to credit applicants of the specific reasons they were declined credit. That advisory opinion was in turn followed by a September 2023 circular instructing that creditors that use AI in their underwriting models may not rely on the CFPB’s model adverse action notice forms if the specific and accurate principal reasons for the action are not captured by those forms. The ECOA, as implemented by Regulation B, is not the only federal consumer finance law requiring a creditor to notify consumers in certain circumstances when it takes adverse action against them. The Fair Credit Reporting Act (“FCRA”), as implemented by Regulation V, likewise contains an adverse action notice requirement.

The adverse action notice requirements under each statute apply in different contexts: the ECOA applies to creditors, and notice must be provided to applicants for extensions of credit where a creditor takes action that negatively impacts the applicant; the FCRA’s requirement extends more broadly to anyone who takes an adverse action against a consumer on the basis of information pertaining to that consumer’s creditworthiness in contexts ranging from transactions for insurance to applications for employment or housing. The adverse action notice requirements of both statutes dovetail, however, when a creditor denies a consumer an application for credit.

To comply with both statutes’ notice requirements, a creditor must understand both the sources of information upon which the credit decision relies and the manner in which those sources and any other factors are assessed to justify the adverse action. Where that decision is made by AI, a lack of clarity about the model’s design and functions may heighten regulatory concerns about a creditor’s ability to provide compliant adverse action notices and could expose a creditor to litigation and enforcement risk. Creditors should therefore design and employ AI models that are explainable in a manner that is sufficient to satisfy their adverse action notice obligations under both the ECOA and the FCRA.

Adverse Action Defined

The ECOA

makes it unlawful for any creditor to discriminate against any applicant . . . on the basis of race, color, religion, national origin, sex or marital status, age (provided the applicant has capacity to contract), [use of public assistance programs], or because the applicant has [exercised rights] under the Consumer Credit Protection Act.

The ECOA defines adverse action as a denial of credit in the amount or terms requested by an applicant, absent a counteroffer, or an account termination or unfavorable alteration to account terms.

The FCRA governs consumer credit report records access and is intended to encourage accuracy, fairness, and the protection of personal information assembled by credit reporting agencies (“CRAs”). As it applies to creditors, the FCRA defines adverse action as coextensive with the ECOA’s definition under section 701(d)(6) of that statute. It also includes an action that is taken on an application or transaction initiated by a consumer or affiliated with an account review and that is adverse to the interests of the consumer. A creditor must provide an FCRA adverse action notice when it takes an adverse action based on information that was (1) in a consumer report; (2) obtained from non-consumer-reporting-agency third parties addressing the creditworthiness, character, personal characteristics, or other similar traits of an applicant; or (3) provided by a corporate affiliate of the creditor.

Since these rules differ, an adverse notice may be necessary under one or both statutes, depending upon the circumstances. Financial institutions can include the disclosures required under both the ECOA and the FCRA in one adverse action notice if both notices are required. For example, both statutes may require a financial institution to provide an adverse action notice when an adverse credit decision is based on either a consumer credit report or information obtained through a non-CRA third party. The FCRA does not impose deadlines to provide adverse action notices, but Regulation B of the ECOA requires notice to be provided within thirty to ninety days, depending on the nature of the adverse action. Thus, combined notices usually adhere to the timing requirements in the ECOA.

Adverse Action Notice Requirements

ECOA

ECOA adverse action notices must be in writing and contain (1) a statement of the action taken; (2) the name and address of the creditor; (3) a statement of the relevant provisions of section 701(a) of the act; and (4) the name and address of the federal agency that oversees the creditor’s compliance.

The written notification must also include either the reasons for action taken (i.e., “a statement of reasons”) or disclosure of the applicant’s right to a statement of reasons and instructions for obtaining one. Statements of reasons must be specific and articulate the principal reasons behind any adverse action, although the relationship between those reasons and the credit denial does not necessarily need to be clear to the applicant. According to 12 C.F.R. part 1002.9(b)(2), statements that the adverse action occurred due to the internal standards of the creditor or that the applicant failed to achieve a qualifying score pursuant to the credit scoring system of the creditor are insufficient. Courts have held that statements of reasons must be detailed enough to be informative.

FCRA

The contents of an adverse action notice under the FCRA vary depending on the sources of information used to make a decision adverse to a consumer’s interests:

  • A creditor that takes adverse action based on information in a consumer report is required to, among other things, provide the consumer with oral, written, or electronic notice of the action. If a credit score factored into the adverse decision, the creditor is required to provide written or electronic notice of the credit score and also provide other information about the credit score, including the range of possible credit scores, factors that adversely affected the consumer’s credit score, the date on which the score was created, and the name of the person or entity that provided the credit score or file upon which it was created.
  • A creditor that takes adverse action based on information from third parties other than CRAs regarding such factors as creditworthiness, credit standing, credit capacity, character, or other factors must disclose upon request the nature of the information used to reach the adverse action. The “nature of the information” refers to the type of information but not necessarily the source on which the creditor relied.
  • A creditor that takes adverse action based upon information provided by one of its corporate affiliates must disclose upon request the nature of the information, except for any information solely related to experiences between the consumer and the affiliate that furnished the information. The standard appears to be less specific and prescriptive than that of the ECOA.

Implications of AI Decision-Making for Adverse Action Notifications

There are clear benefits to using complex algorithms, including AI or machine learning, in consumer credit decisions. AI has the potential to grow access to credit by enabling financial institutions to evaluate the creditworthiness of applicants who might otherwise be impossible to assess using traditional methods because AI can allow creditors to consider more information about credit applicants than is otherwise possible. Such technology could also lead to more efficient, informed, equitable decisions and even lower the cost of credit.

Notwithstanding those potential benefits, AI models in which inputs or outputs lack transparency or are not explainable may pose regulatory risks to creditors. The CFPB has, for example, signaled that a “creditor cannot justify noncompliance with the ECOA and Regulation B’s [adverse action] requirements based on the mere fact that the technology it employs is too complicated or opaque to understand.” Use of an AI model likely poses similar risks to a creditor’s compliance with the FCRA’s adverse action requirements, which require the creditor to be able to identify the nature of the information used (outside of a consumer report) to assess an applicant’s creditworthiness.

As the Official Interpretations to Regulation B make clear, however, disclosure of information sufficient to satisfy one statute’s adverse action notice requirements does not necessarily establish compliance with the other’s. As previously noted, courts in particular appear to scrutinize the quality and content of the statement of reasons for adverse action under the ECOA much more carefully than they do the sources of information required to be disclosed in an adverse action notice under the FCRA.

To comply with both statutes, therefore, a creditor must be able to identify inputs to an AI and understand how those inputs were used to arrive at the model’s result. Implementing appropriate governance around the use of these models, including documentation of design choices and updates, testing to improve transparency and explainability, and legal and/or compliance oversight of the adverse action notices, will help reduce regulatory risks.

In addition, where such models are built by third-party vendors, creditors should consider revising their contracts to allow for a creditor’s precontractual diligence and vetting of those models to ensure that the creditor is able to comply with these regulatory obligations. Moreover, for those creditors subject to the authority of the Federal Deposit Insurance Corporation (“FDIC”), Board of Governors of the Federal Reserve (“FRB”), or the Office of the Comptroller of the Currency (“OCC”), care should be taken to ensure that any third-party relationships adhere to the recent Interagency Guidance on Third-Party Relationships: Risk Management.

The authors wish to thank summer associate Lauren Burns for her assistance.

    Authors