.svg)
.svg)
.avif)
.png)
Receive weekly micro lessons on agentic AI, our company updates, and tips from our team right in your inbox. Unsubscribe anytime.
Explainable AI in lending refers to artificial intelligence systems that provide clear, auditable reasons for every credit decision. In 2026, regulators, including the OCC, CFPB, and FDIC, require financial institutions to prove that AI models used in credit decision-making are transparent, fair, and compliant with fair lending laws like the Equal Credit Opportunity Act and the Fair Housing Act.
The CFPB stated plainly in its Winter 2025 Supervisory Highlights: there is no advanced technology exception to federal consumer financial laws. This post covers the regulatory landscape, what examiners look for, and how to build responsible AI lending systems that pass scrutiny.
The regulatory framework governing artificial intelligence in lending is not new. It is built on decades of fair lending laws, model risk management guidance, and consumer protection statutes.
What has changed is how regulators are applying these existing rules to machine learning models, deep learning models, neural networks, and other complex algorithms now embedded in credit decision-making. Whether a lender deploys explainable machine learning, deep learning, or a hybrid of AI models, the compliance obligations are the same.
Two federal laws form the bedrock of fair lending compliance for any AI system used in lending. The Equal Credit Opportunity Act (ECOA), implemented through Regulation B, prohibits discrimination in credit transactions and requires creditors to provide specific, accurate reasons when taking adverse action against applicants.
The Fair Housing Act extends similar protections to mortgage lending, prohibiting discrimination based on protected characteristics, including race, color, national origin, religion, sex, familial status, and disability.
These laws apply regardless of what technology a lender uses to make decisions. Whether credit risk is assessed by a human underwriter, a traditional scorecard, or a deep learning model with thousands of model parameters, the obligation to explain and justify the decision remains the same.
Federal Reserve SR 11-7 (2011): The Federal Reserve and the OCC jointly issued the Supervisory Guidance on Model Risk Management, establishing that model risk should be managed like other risks. This guidance requires independent validation, continuous monitoring, comparison of model outputs to actual outcomes, and documentation detailed enough for unfamiliar parties to understand the model's operation. It remains the baseline for model risk management at every regulated financial institution.
CFPB Circular 2022-03 (May 2022): The CFPB confirmed that ECOA adverse action requirements apply in full to credit decisions based on complex algorithms, including those marketed as artificial intelligence. The circular stated that creditors cannot avoid these obligations simply because they use AI or machine learning models that are difficult to interpret.
CFPB Circular 2023-03 (September 2023): The CFPB expanded on its earlier guidance, clarifying that sample adverse action checklists are not exhaustive and that creditors using AI systems must provide specific, accurate reasons for each denial.
Generic explanations like "purchasing history" or "insufficient projected income" do not satisfy the law when the actual basis for denial involves specific behavioral data fed into an algorithmic model.
OCC Comptroller's Handbook Update (2021, reinforced 2025): The OCC's updated Model Risk Management handbook explicitly addresses AI, noting that even when AI does not produce traditional quantitative estimates, the associated risks can be high depending on methodological complexity and use. The handbook emphasizes analyzing the potential for implicit bias in AI models and tools, and links model risk management directly to fair lending compliance.
In October 2025, OCC Bulletin 2025-26 clarified that model risk management practices should be commensurate with the institution's risk exposures, signaling a broader review of AI governance expectations for banks of all sizes.
CFPB Winter 2025 Supervisory Highlights (January 2025): This special edition focused on advanced technologies in credit scoring. Examiners found that credit scoring models used by card lenders and auto lenders produced disproportionately negative outcomes for protected groups.
The CFPB directed institutions to search for less discriminatory alternatives (LDAs) using open-source automated debiasing methodologies, and to document why they chose specific models over less discriminatory options.
GAO Report GAO-25-107197 (May 2025): The Government Accountability Office published a comprehensive review of AI use and oversight in financial services. The report found that regulators primarily rely on existing laws and supervisory frameworks to oversee AI, rather than developing new regulations.
Critically, the GAO recommended that the NCUA update its model risk management guidance to encompass a wider variety of AI models used by credit unions, and reiterated its recommendation that Congress grant NCUA authority to examine third-party technology service providers.
EU AI Act (August 2026 enforcement): The European Union's AI Act classifies credit scoring and creditworthiness assessment as high-risk AI uses under Annex III. Full enforcement obligations for high-risk AI systems take effect in August 2026, requiring technical documentation, human oversight mechanisms, bias monitoring, and transparency to applicants. U.S. financial institutions serving European customers or operating internationally face corresponding pressure to meet these standards.
During AI-focused examinations, examiners are not asking abstract questions about responsible AI or trustworthy AI principles. They are asking operational, evidence-based questions drawn from existing regulatory standards. Based on OCC examination procedures, CFPB supervisory guidance, and the GAO's 2025 findings, examiners typically focus on the following areas:
These are not hypothetical concerns. The CFPB's Winter 2025 Supervisory Highlights documented real examination findings where institutions failed to adequately test their adverse action notice methodologies or search for alternative models with less disparate impact.
Financial institutions using alternative data, big data analytics, or AI algorithms with large feature sets face heightened compliance challenges because the relationship between inputs and outcomes is harder to trace. AI explainability is the operational discipline that makes regulatory compliance achievable in this environment.
AI explainability in lending is not a single concept. It operates at multiple levels, each addressing different aspects of regulatory compliance and operational governance. Lenders who treat explainable artificial intelligence as a checkbox, rather than a layered discipline, risk failing examiner scrutiny on any of these dimensions.
The distinction matters because different AI models, from traditional scorecards to neural networks and deep learning architectures, require different explainability techniques to meet responsible AI standards. There are three levels of explainability here.
Global explainability refers to understanding the overall logic and structure of machine learning models. For lenders, this means being able to articulate which features the AI models rely on, how those features interact, and what the general decision-making processes look like at a high level.
Regulators expect this level of model transparency as part of model risk management documentation. Under SR 11-7, model documentation should be detailed enough that an independent party unfamiliar with the model can understand its operation. Explainable AI at the global level gives examiners the confidence that the institution understands what its machine learning models are doing.
Local explainability addresses individual credit decisions. When a specific applicant is denied, fair lending laws require that the lender provide specific reasons tied to that applicant's profile. This is where black box models fail regulatory scrutiny. If the AI model cannot decompose its output into interpretable factor contributions for each application, the lender cannot satisfy ECOA adverse action requirements.
Explainable AI techniques such as SHAP (SHapley Additive exPlanations) and LIME (Local Interpretable Model-agnostic Explanations) are commonly used XAI techniques for generating local explanations from complex models. These explainability techniques enable machine learning models to produce the kind of specific, individualized adverse action reasons that fair lending laws demand.
Counterfactual explanations go further by telling applicants what would need to be different for a favorable outcome. While not explicitly required by current U.S. regulation, this level of explainable artificial intelligence is increasingly viewed as a best practice for responsible AI in lending and is strongly encouraged under the EU AI Act's transparency provisions.
For example, a counterfactual explanation might indicate that an applicant would have been approved with a lower debt-to-income ratio or a longer credit history, rather than a vague reference to "other factors" in the applicant's profile. This type of AI explainability supports equitable access to credit by giving applicants actionable information about how to improve their creditworthiness.
There is an important distinction between understanding how an AI model works internally (model transparency) and being able to explain a specific output to a consumer or regulator (outcome explainability). Regulators require both. Model risk management frameworks demand the first. Fair lending laws demand the second.
Financial institutions that invest only in internal documentation without building consumer-facing explanation capabilities will find themselves non-compliant when examiners review adverse action processes. Explainable AI bridges this gap by enabling AI models to produce both internal audit documentation and external consumer-facing explanations from the same underlying machine learning architecture.
The term "black box" refers to AI systems whose internal decision-making processes are opaque or inaccessible to human users and regulators. In lending, black box models create a direct conflict with regulatory compliance requirements that demand transparency and explainability.
Large language models and other general-purpose artificial intelligence AI tools are not built for regulated credit decision-making. They lack the structured audit trails, deterministic outputs, and decision traceability that examiners require. A model that cannot explain why it weighted one factor over another in a specific credit risk assessment cannot generate compliant adverse action notices.
As the CFPB has stated, ECOA does not permit creditors to use black box algorithms when doing so means the creditor cannot provide specific and accurate reasons for adverse action. For financial institutions evaluating AI services and AI algorithms for lending, this distinction between general-purpose and purpose-built explainable AI is critical.
Black box models also amplify AI risks associated with historical lending data and training data quality. If training data reflects historical patterns of discrimination, such as lower approval rates for applicants from certain zip codes that correlate with protected characteristics like race, the AI models will learn and perpetuate those patterns. This creates disparate impact liability, even when the model does not explicitly use protected characteristics as inputs.
The CFPB's Winter 2025 Supervisory Highlights specifically flagged machine learning models using more than 1,000 input variables, including alternative data not directly related to financial behavior, as high risk for encoding correlated factors and other correlated factors that serve as proxies for prohibited bases.
When alternative data such as purchasing history, social media activity, or other factors outside traditional credit files enter the training pipeline, AI developers must rigorously test for proxy discrimination.
Regulators are not opposed to artificial intelligence in lending. They are opposed to AI, which they cannot examine. The current regulatory landscape requires lending systems built with purpose, not adapted from general-purpose tools.
This means AI systems with confidence scoring on every output, full decision audit trails, the ability to generate compliant adverse action notices from AI model outputs, and human-in-the-loop review for decisions that fall below confidence thresholds.
Financial institutions that deploy machine learning models without these capabilities face compliance challenges not just from individual enforcement actions, but from systematic examination findings that can restrict business operations. Responsible AI in lending means building explainable AI into the system architecture from day one, not retrofitting it after regulators raise concerns.
AgentFlow was designed from its foundation for regulated environments where every AI decision must be transparent, auditable, and defensible. For financial institutions navigating the current regulatory landscape for explainable AI in lending, AgentFlow addresses the core regulatory compliance requirements that examiners evaluate.
Unlike black box models or generic AI algorithms, AgentFlow embeds model explainability and AI governance into every step of the lending workflow.
Every field extraction, classification, and risk assessment performed by AgentFlow includes a confidence score that quantifies the AI's certainty level. This is not a binary pass/fail. It is a calibrated measure that tells lending teams exactly how much weight to place on each AI output.
When confidence falls below institution-defined thresholds, the system automatically routes the decision for human review, creating a documented decision trail that satisfies AI governance requirements and model risk management expectations.
AgentFlow generates comprehensive audit trails for every action taken in the lending workflow. Each decision point records what data was used, what the AI model recommended, what confidence level was assigned, and whether a human user reviewed or overrode the recommendation.
These audit trails directly support the documentation requirements of SR 11-7 and the CFPB's expectations for adverse action notice compliance. When examiners ask how a specific loan was approved or denied, the answer is available in a structured, exportable format.
Regulatory compliance is not about removing humans from the process. It is about deploying AI processes that handle routine, high-confidence work while routing exceptions, edge cases, and low-confidence decisions to qualified human users.
AgentFlow's review workflows are configurable by institution, meaning that each lender can set their own thresholds for automated processing versus human review based on their risk appetite and regulatory requirements. This approach addresses a core examiner concern: that AI projects and new systems do not simply automate decisions without appropriate oversight.
AgentFlow produces reports formatted for regulatory examination, including model performance metrics, confidence distributions, exception rates, and override documentation. These reports support the continuous monitoring that regulators expect and provide the evidence base needed for model validation and fair lending testing.
Rather than scrambling to assemble documentation during an exam, institutions using AgentFlow have it generated as a byproduct of normal operations. This approach transforms regulatory compliance from a periodic compliance challenge into an embedded operational capability.
Use this checklist to evaluate whether your current lending AI, or a vendor you are considering, meets the regulatory compliance requirements examiners are actively enforcing. Each item maps to a specific regulatory standard and includes the action you should take, what to look for, and the red flag that signals non-compliance.
Regulatory basis: ECOA, Regulation B, CFPB Circulars 2022-03 and 2023-03.
Action: Run a test denial through your AI system. Review the adverse action reasons it generates. Confirm each reason is specific to the individual applicant and tied to actual model factors, not pulled from a generic checklist.
What to look for: The system should produce individualized reasons that change based on each applicant's data. Look for the ability to trace every reason back to a specific variable or set of variables the model weighted in that decision. Systems with field-level confidence scoring make this traceability possible by quantifying exactly how certain the AI was about each input and output.
Red flag: The system generates the same four or five reasons for most denials, or cannot explain how it selected the reasons it provided.
Regulatory basis: Federal Reserve SR 11-7, OCC Comptroller's Handbook on Model Risk Management.
Action: Select five recent credit decisions at random. For each, request the complete audit trail: what data entered the model, what the AI model recommended, what confidence level was assigned, and whether a human user reviewed or overrode the recommendation.
What to look for: A structured, exportable record for every decision point in the lending workflow. The audit trail should be generated automatically as a byproduct of each decision, not assembled manually after the fact. The best lending systems produce examiner-ready documentation without any additional effort from the lending team.
Red flag: The vendor requires your team to manually log AI decisions, or cannot produce a full record for a specific loan on demand.
Regulatory basis: CFPB Winter 2025 Supervisory Highlights, ECOA disparate impact standards.
Action: Request the vendor's most recent fair lending test results, including disparate impact analysis across all protected characteristics. Ask to see the less discriminatory alternatives (LDAs) they evaluated and why they selected the current model over those alternatives.
What to look for: Documented evidence that the vendor or your internal team tested multiple machine learning models, compared model performance and prediction accuracy across demographic groups, and selected the model with the least discriminatory impact that still met legitimate business needs. This analysis should be repeatable and updated at regular intervals, not conducted once at deployment.
Red flag: No LDA analysis exists, or the vendor claims their model is fair without providing test results. The CFPB's 2025 Supervisory Highlights showed that examiners will run their own LDA analysis if lenders have not.
Regulatory basis: OCC examination procedures, EU AI Act Article 14 human oversight requirements.
Action: Identify how the system handles low-confidence or borderline decisions. Test what happens when the AI output falls below your institution's acceptable threshold.
What to look for: Configurable confidence thresholds that your institution controls, not fixed by the vendor. When a decision falls below the threshold, the system should automatically route it to a qualified human reviewer with all relevant context displayed, including what the AI recommended and why. The routing, the human decision, and the override rationale should all be captured in the same audit trail.
Red flag: The system is fully automated with no mechanism for human review, or the thresholds are hardcoded and cannot be adjusted based on your institution's risk appetite and regulatory requirements.
Regulatory basis: GAO-25-107197 (May 2025), OCC guidance on third-party risk management.
Action: Request documentation on the training data used to build each AI model in your lending workflow. This should include data sources, composition, time period, and any alternative data included beyond traditional credit bureau files.
What to look for: Full provenance documentation for all training data. If the model uses alternative data such as purchasing history, utility payments, or behavioral signals, confirm the vendor has tested these inputs for correlation with protected characteristics. Models trained on historical lending data should include documentation of how historical bias was identified and mitigated. Institutions should retain the right to audit training data under the vendor contract.
Red flag: The vendor treats training data as proprietary and refuses to disclose sources, or has not tested alternative data inputs for proxy discrimination.
Regulatory basis: SR 11-7 model documentation requirements, ECOA adverse action standards, EU AI Act transparency obligations.
Action: Ask the vendor to demonstrate explainability at three levels: (1) global model behavior, showing which features matter most across all decisions, (2) local explanations for an individual loan decision, and (3) counterfactual outputs showing what would change the outcome for a specific applicant.
What to look for: XAI techniques like SHAP or LIME for local explanations, combined with global feature importance rankings for overall model transparency. The system should be able to generate these explanations on demand for any individual decision, not just in aggregate. Glass box approaches or inherently interpretable models may offer advantages for high-stakes credit decisions. At a minimum, verify the system can produce explanations that satisfy both internal model risk management reviews and consumer-facing adverse action requirements.
Red flag: The vendor can only show aggregate model statistics but cannot explain a single individual decision, or relies entirely on post-hoc explanations that do not reflect the model's actual decision-making processes.
Regulatory basis: SR 11-7 ongoing monitoring requirements, OCC Bulletin 2025-26.
Action: Review what monitoring the system performs automatically after deployment. Ask to see a sample regulatory report that the system can generate.
What to look for: Automated tracking of model performance, data drift, model accuracy degradation, and shifts in model behavior over time. Reports should be formatted for regulatory examination, not raw data dumps. The best systems generate these reports as an automatic output of daily operations, so your team does not need to build a separate reporting infrastructure for examination preparation.
Red flag: Monitoring is manual, the vendor provides no ongoing performance tracking, or reporting requires significant manual effort from your team to assemble into examiner-ready format.
How to use this checklist: Score each area as Compliant, Partially Compliant, or Non-Compliant. Any area scored Non-Compliant represents immediate regulatory risk and should be addressed before your next examination. Share this checklist with your model risk management team, compliance officers, and any third-party AI vendors currently serving your lending operations.
Yes. No federal law prohibits artificial intelligence in lending. The CFPB, OCC, FDIC, and Federal Reserve affirm that AI use in financial products is permitted if the institution complies with fair lending laws, adverse action requirements, and model risk management standards. Regulators require responsible AI with explainable AI capabilities, not abstinence from machine learning.
The CFPB's Circulars 2022-03 and 2023-03 require creditors using machine learning models and AI algorithms for credit decision making to provide specific, accurate adverse action reasons. The Winter 2025 Supervisory Highlights flagged underwriting models with 1,000+ variables for disparate impact concerns and directed financial institutions to search for less discriminatory alternatives.
Auditing involves model documentation review (training data, model parameters, architecture), independent model validation for model accuracy and model performance, fair lending analysis across protected characteristics, adverse action testing, and continuous monitoring for model behavior drift. SR 11-7 provides the framework. For deep learning or neural networks, evaluate XAI techniques and historical lending data bias.
A legally required notice explaining why a credit application was denied. Under ECOA, creditors must provide specific reasons even when AI models or machine learning models make the decision. Black box models do not excuse this obligation. Explainable AI enables compliant notices from complex models, from glass box approaches to neural networks and deep learning architectures.
Government agencies can impose consent orders, civil penalties, and require remediation. U.S. enforcement actions have totaled $89 million in the AI lending space. Financial institutions also face class action lawsuits and reputational model risk. The regulatory standards are clear: institutions bear full accountability for AI models regardless of whether AI service providers built them.
The European Union's AI Act has extraterritorial reach. Any financial institution serving EU residents must comply by August 2026. It classifies credit scoring as high-risk, requiring model transparency, AI governance, risk assessment, and responsible AI standards. Training AI models for lending under this framework requires documented data governance and explainable AI capabilities. Penalties reach 7% of global revenue.
Explore how our agentic AI can automate your workflows and boost profitability.
Get answers to all your questions
See how AI Agents work in real time
Learn AgentFlow manages all your agentic workflows
Uncover the best AI use cases for your business
.png)
