November 30, 2020 the Consumer Financial Protection Bureau (“CFPB”) issued its most recent No-Action Letter (“Letter”) pursuant to its No-Action Letters Policy. Since announcing this policy in September of 2019 it has issued a handful of Letters under its innovation policies stating it will not take an enforcement action for the specified activities. This most recent Letter focuses on the use of models and artificial intelligence (“AI”) for making underwriting and pricing decisions for closed end, unsecured, consumer lending.
The Letter recipient (“Recipient”) requested the Letter due to uncertainty regarding the application of certain provisions of the Equal Credit Opportunity Act (and its implementing regulation, Reg B) to its AI model, which it uses to set the maximum loan amount and interest rate of applicants that meet the initial eligibility assessment. The application provides detailed information on the Recipient’s use of models and AI in its processes. You may view the application here.
The Letter sets forth a number of conditions that the Recipient must continue to meet to stay within the confines of the Letter. Although this Letter is not binding on other financial institutions, financial institutions and their vendors using models and/or AI should use this Letter, specifically the conditions it contains, to help inform their own model governance practices beyond the regulatory requirements that are already in existence.
The CFPB requires the Recipient to implement their Model Risk Assessment Plan (“MRAP”). Unfortunately, the Recipient’s MRAP is not provided as an attachment to the Letter as it contains confidential information. However, the CFPB stated some of the requirements in the MRAP within the Letter. This condition highlights the importance of financial institutions assessing the risk associated with whatever AI models the financial institutions wish to use. Conducting risk assessments is not a new concept for financial institutions as they have been a long-standing regulatory requirement (not to mention being a prudent business model). This requirement simply reinforces that risk assessments apply to models and AI too.
The MRAP requires the Recipient to:
- Notify the CFPB of any significant changes to the model prior to implementation.
- Test the model and/or variables or groups of variables on a periodic basis for adverse impact and predictive accuracy and provide the results to the CFPB.
- Provide the CFPB with access to the software code that they are using to implement the MRAP. This shows the importance of financial institutions understanding how their own risk assessment processes works. It is insufficient to simply complete the risk assessment.
- It is not clear in the Letter whether the Recipient has their own in-house MRAP or if they use a vendor. I doubt the answer to that question would change the CFPB’s position. As such, financial institutions that use a vendor to provide their MRAP should consider including a provision in the vendor contract that the vendor is obligated to help the financial institution understand how the risk assessment operates and to share the underlying code with the financial institution and/or their regulators upon request. Financial institutions should ascertain how much information on how the risk assessment makes decisions/recommendations the vendor is willing to provide prior to engaging the vendor. The age-old adage “its proprietary and confidential” is not going to be sufficient.
- Periodically provide the CFPB with model documentation such as a technical report detailing what data is in the model and performance monitoring that specifically speaks to how the Recipient’s customer population and model performance changes over time. It is not enough to look at how the model is currently functioning. Financial institutions must analyze the changes over time. Although not directly stated, financial institutions need to react to those changes, especially if they are negative changes. This requirement is reminiscent of the expectations surrounding consumer complaints.
- Monitor for fair lending concerns as well as access-to-credit testing.
In summary, this Letter provides a nice reminder of the level of scrutiny the CFPB is going to give to models and the use of AI and highlights the continued importance of risk assessments within financial institutions.