What is the CFPB's examination playbook for credit AI?

CFPB examiners examine credit AI under ECOA, FCRA, UDAP, and consumer financial protection law. The examination typically covers five documentation categories: adverse action notices and reason code documentation, fair lending disparate impact testing, model documentation, training data records, and human oversight evidence. Examiners request sample adverse action files, disparate impact analysis by protected class, model development documentation, and override rate data. The most common findings are generic adverse action reasons, no formal disparate impact testing program, and nominal human oversight with very low override rates.

Does CFPB authority extend to fintech lenders and non-bank AI vendors?

The CFPB has supervisory authority over non-bank financial entities meeting certain thresholds — large non-bank mortgage originators, private student loan servicers, payday lenders, and, since 2023, larger participants in consumer lending markets. For AI vendors selling to covered financial institutions, CFPB has examined vendor practices through service provider supervision and has authority to take enforcement action against service providers who violate consumer financial protection law. ECOA's disparate impact prohibition applies to all creditors regardless of bank or non-bank status.

Can a creditor use AI model complexity as a defense for not providing specific adverse action reasons?

No. The CFPB's September 2022 circular explicitly rejected this argument. A creditor's obligation to provide specific adverse action reasons under Regulation B applies regardless of model complexity. An AI system that cannot produce per-decision feature attribution creates ECOA compliance exposure. Acceptable approaches: inherently explainable models with documented reason code mapping, post-hoc explanation methods (SHAP/LIME) applied to the model with documented reliability, or hybrid architectures combining a complex model with a rules-based reason code layer. The CFPB has not formally endorsed any specific approach, but all must produce reason codes that are applicant-specific, not generic.

What evidence does the CFPB look for in fair lending examinations of AI?

CFPB fair lending examiners request: regression analysis or matched pair analysis showing approval rate differentials by protected class, complete feature list with proxy variable identification and business justification, training data demographic composition, disparate impact testing cadence (how often testing is done, what triggers a re-test), documentation of any identified disparate impact and remediation steps taken, and the model change timeline showing whether fair lending re-evaluation occurred after each model change. Examiners pay particular attention to whether disparate impact testing was done prospectively before deployment versus assembled after an examination began.

What AI complexity defense exists against disparate impact findings?

The burden-shifting framework under ECOA allows a creditor to rebut a disparate impact finding by demonstrating business necessity — the feature is required for accurate prediction and there is no less discriminatory alternative with comparable performance. The business necessity defense requires documentation of: the predictive value of the feature at issue, testing of alternative models without the feature or with less discriminatory alternatives, and the performance differential. This documentation must exist as a contemporaneous record, not reconstructed after an examination finding. For AI proxy features (ZIP code, purchase patterns), the business necessity justification is frequently absent.

How does CFPB credit AI examination intersect with FCRA?

FCRA applies when consumer report data is used in credit AI — either in training the model or in real-time decisioning. FCRA issues that appear in credit AI examinations: use of consumer report data for model training without clear permissible purpose documentation; adverse action notices that fail to include the credit bureau name when a consumer report contributed to an AI adverse decision (12 CFR 202.9(a)(3)(ii)); and re-scoring disputes where the current model produces different results than the model active at decision time — creating a FCRA dispute resolution problem. FCRA Section 615 requires the adverse action notice to include the consumer reporting agency's name and contact information when a consumer report contributed to the decision.

What should credit AI teams do before a CFPB examination?

Pre-examination preparation: document model inventory with CFPB-relevant metadata (purpose, decision scope, validation status, model version at key dates); ensure per-decision adverse action reason codes are captured in records and match the reasons in any adverse action notices sent; conduct or update disparate impact analysis with documentation of methodology and results; review human oversight process documentation and compare documented override rates to actual audit records; confirm training data FCRA permissible purpose documentation exists; and ensure 25-month recordkeeping is complete for all adverse decisions. Gaps found before examination are addressable; gaps found by examiners become findings.

How does CFPB credit AI supervision compare to SR 11-7 and FTC?

All three address credit AI but from different angles. CFPB focuses on consumer protection outcomes — specific adverse action reasons, disparate impact testing, FCRA compliance, human oversight documentation. SR 11-7 (Federal Reserve/OCC) focuses on model risk governance — development documentation, independent validation, model inventory, change management. FTC Section 5 focuses on deceptive claims — AI performance claims must be substantiated. In practice: a bank deploying credit AI faces all three simultaneously. The most efficient approach is building a unified documentation system that satisfies all three — per-decision audit trails, reason code documentation, fair lending testing records, model inventory, validation documentation, and change management records.

CFPB AI Supervision: What Examiners Look for in Credit AI Systems

CFPB examiners examining credit AI systems under ECOA, FCRA, and UDAP request documentation in five categories: adverse action records with per-decision reason codes, fair lending disparate impact testing, model documentation including development rationale and validation, training data sources and preprocessing, and human oversight evidence including override rates. This guide maps each CFPB exam request category to the documentation credit AI teams must prepare — and explains the seven most common examination findings.

CFPB Exam Request Category 1: Adverse Action Documentation

CFPB examiners request all adverse action notices and supporting documentation for a sample of AI-denied credit applications. Required records for each adverse decision: the adverse action notice sent to the applicant with specific reason codes, the per-decision feature attribution or reason code basis at decision time, model output and confidence at decision time, model version active at decision time, and any human review record. The most common adverse action finding: reason codes that are generic ("based on information in your application") rather than specific to this applicant ("debt-to-income ratio exceeded threshold"). The CFPB 2022 circular confirmed AI model complexity does not excuse failure to provide specific reasons. Reason codes must be captured at decision time — re-running a current model on historical applications produces different outputs and does not satisfy the original adverse action obligation.

CFPB Exam Request Category 2: Fair Lending Testing

CFPB fair lending examiners request disparate impact analysis, proxy variable documentation, and remediation records. Required materials: disparate impact analysis by protected class (race, sex, national origin, marital status, age) showing approval rate differentials; complete feature list with identification of potential proxy variables and business justification; training data demographic composition and known limitations; model change timeline with fair lending re-evaluation at each change; and remediation documentation for any identified disparate impact. Examiners apply a burden-shifting framework: if the statistical pattern shows disparate impact, the creditor must demonstrate business necessity and the absence of a less discriminatory alternative. Documentation must show the testing was done prospectively, not assembled in response to the examination.

CFPB Exam Request Category 3: Model Documentation

CFPB model documentation requests overlap significantly with SR 11-7 requirements and EU AI Act Annex IV. Required materials: model inventory entry showing this model is in scope for MRM; development documentation covering purpose, methodology, data sources, and known limitations; independent validation reports; change management records showing each model update with validation status; and use limitation documentation defining what decisions this model is authorized to make. The most common model documentation finding: no formal development documentation for models "inherited" from prior versions or transferred from a vendor. If a model is in production making credit decisions, it needs current development documentation — vendor documentation may not satisfy CFPB expectations for creditor-level accountability.

CFPB Exam Request Category 4: Training Data Records

CFPB training data requests focus on FCRA compliance, data quality, and demographic representation. Required materials: training data sources with documentation of FCRA compliance for any consumer report data used in training; demographic composition of training data; data preprocessing steps including exclusions and transformations; known data quality limitations and how they were addressed; and ongoing data quality monitoring documentation. FCRA compliance for training data is frequently overlooked: consumer report data used in AI training requires permissible purpose, and the permissible purpose for training may differ from the permissible purpose for operational use. Examiners have flagged use of credit bureau data for model training where permissible purpose was unclear.

CFPB Exam Request Category 5: Human Oversight Evidence

CFPB examiners request evidence that human oversight is genuine rather than nominal. Required materials: documented human review process with reviewer qualifications and authority to override AI decisions; override rate data showing actual review rates (not just process documentation); escalation criteria defining when human review is triggered; audit trail records linking AI decisions to human review outcomes; and consumer rights documentation showing how consumers can request human review of adverse decisions. The most common human oversight finding: review rates that are nominally compliant but practically zero — a process that exists on paper but is bypassed in operations. Examiners have required remediation plans when override rates suggest human reviewers are routinely ratifying AI decisions without genuine review.