As we have repeatedly discussed this year in our Financial Services Perspectives blog, the current leadership of the CFPB has placed a significant emphasis upon fair lending. Seemingly once a month, or even more frequently at times, Director Rohit Chopra has announced a new initiative concerning fair lending and discrimination in the financial services industry. In February, for instance, the CFPB released a blog post to discuss possible discrimination in the appraisal process, and in March, the CFPB set forth major changes to its supervisory operations with respect to “unfair” discriminatory practices in the financial services industry. Also in March, Director Chopra issued a statement regarding the final report of the Interagency Task Force on Property Appraisal and Valuation Equity (PAVE) and in doing so, emphasized accuracy and non-discrimination in algorithmic home valuations. To this end, Director Chopra and other CFPB personnel have also made numerous recent public statements to express their concerns regarding “algorithmic bias,” “digital redlining,” and “robo discrimination.”
The trend continued this week, as the CFPB issued a circular (Circular 2022-03) on May 26, 2022, to clarify creditors’ responsibilities to consumers when relying upon “black-box” or “algorithmic” underwriting models to make credit decisions. In conjunction with issuing Circular 2022-03, the CFPB also issued a press release to explain the rationale for issuing new guidance regarding creditors’ adverse action notice requirements under the Equal Credit Opportunity Act (ECOA). Per Director Chopra, “[c]ompanies are not absolved of their legal responsibilities when they let a black-box model make lending decisions,” as “[t]he law gives every applicant the right to a specific explanation if their application for credit was denied, and that right is not diminished simply because a company uses a complex algorithm that it doesn’t understand.”
Circular 2022-03 provides guidance to answer the following question: “When creditors make credit decisions based on complex algorithms that prevent creditors from accurately identifying the specific reasons for denying credit or taking other adverse actions, do these creditors need to comply with the Equal Credit Opportunity Act’s requirement to provide a statement of specific reasons to applicants against whom adverse action is taken?” Given the CFPB’s recent scrutiny of algorithmic loan decision-making, the response to this question was, somewhat unsurprisingly, “Yes.” In answering this question, the CFPB provided the following guidance:
- “ECOA does not permit creditors to use technology that prevents them from providing specific and accurate reasons for adverse actions. Creditors’ use of complex algorithms should not limit enforcement of ECOA or other federal consumer financial protection laws.” In providing this clarification, the CFPB explained that creditors subject to Regulation B must be able to provide a statement of reasons for any adverse action that (a) is “specific” and (b) indicates the principal reason(s) for adverse action.
- Creditors cannot justify noncompliance with ECOA based on the mere fact that the technology they use to evaluate credit applications is too complicated, too opaque in its decision-making, or too new. There is no exception for violating the law because a creditor is using technology that has not been adequately designed, tested, or understood. As a result of this guidance, creditors must be in a position to understand the nuances of the technology that provides credit decisions because they must be able to communicate the required adverse action information to consumers.
- Critically, “[a] creditor’s lack of understanding of its own methods is therefore not a cognizable defense against liability for violating ECOA and Regulation B’s requirements.”
- The CFPB encouraged whistleblowers to come forward to provide information about “black-box models” that violate various federal consumer protection laws, including ECOA.
In our estimation, there are a number of practical impacts that will follow from this guidance, including:
- Financial services entities that use AI, machine learning, or other algorithmic coding to help make credit decisions are now clearly on notice that they must comply with ECOA’s adverse action requirements. This will require knowledge of the principal reason(s) for any adverse action in order to communicate that information to consumers.
- Financial services entities may not use ignorance as an excuse. This is important because many vendors are reluctant to provide the trade secrets/coding underlying their technology, and therefore it is sometimes hard for financial services entities to understand exactly why an adverse action has been taken. It is clear, in light of Circular 2022-03, that vendor management is now going to be a bigger issue – and compliant financial services entities will need to work with vendors to provide some transparency to allow for fulsome adverse action statements to consumers.
- In addition to ECOA/Regulation B impacts associated with this guidance, it is important to remember that discrimination is now considered to be a UDAAP per recent CFPB guidance. As a result, the information financial services entities are now required to understand to comply with adverse action requirements is also subject to being measured for discrimination analysis purposes.
This most recent CFPB circular lies at the nexus of two important regulatory trends: an increased focus on fair lending and multiple statements about the importance of vendor management. Because most lenders seeking to utilize algorithmic credit decisioning will use outside vendors with the requisite technical capability, it is critical that lenders be prepared to require – as a term of a vendor services agreement – that the service provider have the capability to ensure that Regulation B’s adverse action notice requirement can be met. Moreover, lenders currently using these models must take time to ensure that their current vendors provide discrete reasons for the adverse action. Lenders should remember that, ultimately, a vendor’s ability to do business with them depends on their ability to facilitate compliance with the universe of federal laws and regulations.