FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatoryfinancial servicesbankingcomplianceECOA

Fair Lending Risk When Loan Decisions Touch AI: ECOA and Reg B for the AI Era

By Basel IsmailMay 6, 2026

Fair Lending Risk When Loan Decisions Touch AI: ECOA and Reg B for the AI Era

The Equal Credit Opportunity Act has been on the books since 1974. Regulation B, its implementing regulation, has been refined repeatedly since then. Neither statute mentions machine learning, neural networks, or large language models. And yet they are arguably the most consequential regulatory framework for any financial institution deploying AI in credit decisioning today. The reason is straightforward: ECOA and Reg B do not care how you discriminate. They care whether you discriminate. The mechanism is irrelevant.

If you are running any AI model that touches a credit decision, even tangentially, you are inside the ECOA/Reg B perimeter. And the CFPB has made it clear they intend to enforce accordingly.

Disparate Impact: The Problem That Optimizes Itself Into Existence

Disparate impact doctrine under ECOA does not require intent. A lender can have perfectly neutral policies, perfectly neutral training data (good luck), and still violate the law if the outcomes disproportionately affect a protected class. This is established law, reinforced in cases like Texas Department of Housing and Community Affairs v. Inclusive Communities Project (2015), which affirmed disparate impact claims under the Fair Housing Act and solidified the analytical framework regulators apply across fair lending.

Machine learning models are particularly good at finding proxies. ZIP code correlates with race. Browsing behavior correlates with age. Employment patterns correlate with national origin. A model optimizing for default prediction will happily latch onto these proxies if they improve accuracy, even marginally. The model does not know it is discriminating. It is just minimizing a loss function.

The CFPB's March 2023 report on AI in lending flagged this explicitly, noting that complex models can "embed and amplify existing disparities" while making those disparities harder to detect. The Bureau has also coordinated with the DOJ, FTC, and EEOC on AI fairness enforcement, issuing a joint statement in April 2023 signaling cross-agency intent to scrutinize algorithmic discrimination.

For traditional logistic regression models, fair lending testing is well understood. You can decompose the model, test each variable, run marginal effects analysis. For gradient-boosted trees, it gets harder. For deep learning or LLM-based systems, it gets significantly harder. But the legal standard does not adjust for technical difficulty. If your model produces disparate impact and you cannot demonstrate a legitimate business necessity that cannot be achieved through less discriminatory means, you have a violation.

Adverse Action Notices: The Explainability Mandate That Already Exists

Section 1002.9 of Reg B requires creditors to provide specific reasons when taking adverse action on a credit application. Not vague reasons. Specific ones. The regulation says the notice must disclose "the principal reason(s) for the adverse action." The CFPB's 2022 circular (Circular 2022-03, issued in May 2022) drove this point home directly in the context of AI: creditors cannot use the complexity of their models as a reason to provide vague or generic adverse action notices.

This is worth sitting with. The CFPB effectively said: we do not care that your model is a black box. You still owe the applicant a real explanation.

The circular specifically addressed situations where creditors rely on algorithms and noted that "the law gives every applicant the right to a specific explanation." Using boilerplate language like "based on our proprietary model" does not satisfy the requirement. The creditor must identify the actual factors, drawn from the applicant's own data, that drove the decision.

For a logistic regression, generating reason codes is mechanical. For an LLM that ingests unstructured text from bank statements, application narratives, or third-party data sources and produces a risk score? Generating faithful, specific, applicant-level explanations is a genuine technical challenge. SHAP values and LIME approximations can help for some model architectures, but they are post-hoc approximations, not ground truth explanations. Regulators are increasingly aware of the difference.

Why LLMs in the Credit Pipeline Are a Specific Target

Large language models introduce a category of risk that traditional ML models do not. They are trained on internet-scale corpora that contain every bias humans have ever committed to text. They process unstructured inputs, making it nearly impossible to enumerate the features driving a given output. And their behavior can shift with prompt construction, context window contents, and even token ordering.

Consider a practical scenario: a lender uses an LLM to summarize loan officer notes, extract key risk factors from financial documents, or generate preliminary risk assessments that feed into a downstream scoring model. Even if the LLM is not making the final credit decision, its output shapes the decision. Under ECOA, that is enough. The CFPB's guidance on "creditor" and "credit decision" is broad. If the AI output materially influences whether credit is extended, on what terms, or in what amount, it is within scope.

Upstart's 2020 consent order with the CFPB (resolved in 2023 with Upstart paying a $9 million penalty related to marketing practices, though fair lending scrutiny was a persistent theme in their examination history) illustrates how seriously the Bureau takes novel underwriting approaches. The CFPB has also imposed consent orders on companies like Trident Mortgage ($22 million in 2022 for redlining) and Townstone Financial ($105,000 penalty in 2023), signaling sustained enforcement energy around lending discrimination.

Model Risk Management Meets Fair Lending

The OCC's SR 11-7 (model risk management guidance) and the Fed's corresponding framework already require model validation, ongoing monitoring, and documentation. When you layer fair lending obligations on top, the requirements compound:

Pre-deployment testing: Disparate impact analysis across all protected classes before the model goes live. This means generating synthetic or holdout test populations and measuring outcome differentials.
Ongoing monitoring: Approval rates, pricing, and terms must be monitored continuously by protected class. Drift in model behavior can introduce new disparities over time.
Explainability infrastructure: Every adverse action must be traceable to specific, applicant-level factors. This requires explainability tooling that operates at the individual decision level, not just aggregate model-level interpretability.
Alternative model analysis: If disparate impact is detected, the lender must demonstrate that no less discriminatory alternative achieves the same business objective. This means maintaining and testing alternative model specifications.
Documentation: All of the above must be documented in a manner that can withstand regulatory examination. The CFPB, OCC, and state regulators will want to see the work, not just the conclusions.

For institutions using third-party AI vendors, there is an additional wrinkle. Reg B does not allow you to outsource compliance. If your vendor's model discriminates, you are liable. The CFPB's June 2023 guidance on third-party risk management reinforced that creditors bear responsibility for the models they deploy regardless of who built them.

The Practical Upshot

If you are a general counsel or compliance officer at a financial institution evaluating AI for any part of the credit lifecycle, the question is not whether ECOA and Reg B apply. They do. The question is whether your current compliance infrastructure can handle the explainability, monitoring, and testing demands that AI models create. For most institutions, honestly, the answer is not yet.

The gap between what regulators require and what most AI systems can deliver in terms of transparency is real. Closing it requires purpose-built infrastructure, not just a fairness audit bolted onto an existing model pipeline after the fact.

How FirmAdapt Addresses This

FirmAdapt's architecture is built around the assumption that every AI output in a regulated workflow must be explainable, auditable, and testable for bias at the individual decision level. For financial services clients deploying AI in or near credit decisioning, this means structured logging of model inputs and outputs, integrated disparate impact testing frameworks, and adverse action reason code generation that meets Reg B specificity requirements. The platform maintains decision-level audit trails that map directly to the documentation regulators expect during examination.

FirmAdapt also supports ongoing monitoring for outcome disparities across protected classes, with alerting thresholds calibrated to the statistical tests regulators actually use (including the four-fifths rule and standard deviation analysis). For institutions using third-party models, FirmAdapt provides a compliance wrapper that captures the explainability and fairness data the institution needs regardless of the underlying model architecture.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free