Is a loan approval AI agent considered high-risk under the EU AI Act?

Yes. EU AI Act Annex III, Category 5 explicitly lists AI systems used to evaluate the creditworthiness of natural persons or establish their credit score as high-risk. This includes AI that makes or influences loan approval, credit limit, or interest rate decisions for individual consumers. All high-risk obligations in Articles 9-15 apply, including Article 12 automatic logging requirements.

What does ECOA require for AI-driven adverse action notices?

The Equal Credit Opportunity Act and Regulation B require creditors to provide specific reasons for adverse actions — loan denials, unfavorable terms, or credit limit reductions. For AI-driven decisions, the reasons must reflect the actual factors the AI weighted. Generic reasons are insufficient if the AI primarily used debt-to-income ratio. The CFPB has issued guidance that AI-driven adverse action notices must reflect the specific factors that actually drove the decision.

How long do loan approval AI decision records need to be retained?

ECOA requires retention of credit application and action records for 25 months (consumer credit) or 12 months (business credit). MiFID II Article 25 requires 5 years for investment-related recommendations. EU AI Act requires a minimum 6 months after system decommissioning. In practice, US consumer lending teams implement 7-year retention to align with FCRA and state requirements.

What does the CFPB require for explainable AI in lending?

The CFPB has indicated that AI-driven credit decisions must comply with ECOA adverse action notice requirements regardless of model complexity. This means: specific factors that actually drove the decision (not proxy variables), factors ranked by importance, and language that accurately describes what the factor means in the context of the decision. The CFPB has explicitly stated that uninterpretable AI models do not exempt creditors from adverse action notice requirements.

Can I use the same AI model for EU and US loan approval decisions?

Yes, but with different compliance overlays. The EU requires Article 12 logging, Annex IV technical documentation, Article 13 transparency, and Article 14 human oversight records. The US requires ECOA adverse action notices, FCRA permissible purpose records, and state-specific fair lending documentation. Using a single model with a compliance layer that generates both sets of artifacts is the most efficient approach.

How do I test a new underwriting model before deploying it to production?

Use deterministic replay: re-execute a representative sample of past production loan decisions against the candidate model using stored context snapshots. This shows the behavioral delta — how many decisions would change, which applicant segments are affected, and whether the changes are consistent with policy intent. EU AI Act Article 9 requires risk management including testing under realistic conditions; deterministic replay on production decision history is the closest available approximation.

What happens if the AI makes a discriminatory loan decision?

Fair lending laws (ECOA, FHA in the US; EU AI Act in Europe) impose liability when AI loan decisions produce disparate impact on protected classes. The key is having decision records that allow retroactive analysis: can you identify the decisions, the factors that drove them, and whether the patterns are consistent with lawful policy? A decision audit trail is essential for responding to regulatory investigations and for proactive fair lending analysis.

Is on-premise deployment required for loan approval AI?

Not always, but many regulated financial institutions require it for data residency. Banks subject to bank examination (OCC, Federal Reserve, FDIC, NCUA) must be able to provide examiners with access to AI decision records. For institutions with strict data residency requirements, on-premise VPC deployment means decision data never leaves the institution's infrastructure — which also simplifies examiner access.

How to Build an Auditable Loan Approval AI Agent That Satisfies Regulators

EU AI Act Annex III explicitly lists credit scoring AI as high-risk, triggering Articles 9, 12, 13, 14, and 26 obligations. ECOA and Regulation B require adverse action notices with specific factors reflecting actual AI decision drivers. This guide builds a complete loan approval AI agent with structured factor output, tamper-evident decision records, ECOA adverse action generation, and pre-deployment deterministic replay — everything regulators and bank examiners actually ask for.

Regulatory Requirements for Loan AI

Key regulations: EU AI Act Annex III Category 5 (credit scoring AI is explicitly high-risk, Article 12 logging required), ECOA/Regulation B (adverse action notices with specific principal factors reflecting actual AI decision drivers), FCRA (permissible purpose records for credit inquiries, 25-month retention), CFPB Guidance 2023 (AI adverse action notices must describe actual model factors — uninterpretable model does not exempt lender), Fair Housing Act/HMDA (demographic data for disparate impact analysis), MiFID II (5-year retention for investment-related credit decisions).

What Regulators Actually Ask For

Financial regulators examining loan AI systems request: (1) Individual decision records for sampled applications — complete record for each, retrievable by application ID. (2) Model version and policy version provenance — which model was running when this decision was made. (3) Adverse action factor lists — specific factors that drove the denial, ranked by importance, mapped to FCRA reason codes. (4) Fair lending analysis data — aggregate decisions by protected class for disparate impact analysis. (5) Pre-deployment validation evidence — EU AI Act Article 9 requires testing under realistic conditions.

Architecture: 4 Key Decisions

(1) Decision records vs LLM traces: design record schema around regulatory output — ECOA factors, not raw LLM completions. (2) Structured factor output: prompt the LLM to produce FCRA adverse action reason codes and factor weights in structured JSON. (3) Complete context snapshot: capture all model inputs including credit score, DTI, LTV, bureau trade lines, policy version — partial snapshots create examination risk. (4) Human review capture: EU AI Act Article 14 requires capturing human reviewer actions with actor ID, timestamp, decision, and reason for borderline applications.

Implementation with Tenet AI SDK

Use TenetClient with tenet.intent() context manager. Call intent.snapshot_context() with the complete application data including model version and policy version. Prompt the LLM to return structured JSON with decision, confidence, and primary_factors array (each with factor name, observed value, impact, weight, and FCRA adverse action code). Call intent.decide() with ActionOptions built from structured factors, storing adverse_action_codes in metadata. Call intent.execute() to close the tamper-evident record and return a record_id for audit reference.

ECOA Adverse Action Generation

The structured factor output captured in the decision record maps directly to FCRA adverse action reason codes (100-250). Generate adverse action notices by retrieving the decision record and formatting the top 4 principal negative factors using FCRA code descriptions. The audit_record_id in the adverse action notice links the notice to the immutable decision record — when regulators challenge a decision, retrieve the record and verify its cryptographic signature proving it was not altered.

Pre-Deployment Testing with Deterministic Replay

Before deploying a new underwriting model version, use Tenet Deterministic Replay to re-execute a representative sample of past production loan decisions against the candidate model. The output shows: decision change rate, which applicant segments are affected (credit score band, DTI range), whether changes align with policy intent, and fair lending risk from disparate impact analysis by segment. This satisfies EU AI Act Article 9 risk management evidence requirements.