Do AI-driven adverse actions require fair lending notices?

Last verified: May 28, 2026

Answer

Yes. Federal fair lending laws require adverse action notices regardless of whether the decision was made by AI. Under ECOA and Regulation B, lenders must provide written adverse action notices with specific reasons for credit denials — regulators have clarified this applies even when an AI model is the proximate decision-maker. FCRA similarly requires adverse action notices when a consumer report influences a credit or employment decision. Colorado's AI Act (SB 26-189, which repealed and reenacted SB 24-205) adds a state-level layer: financial services is a consequential decision, so lenders using an automated decision-making technology (ADMT) must give interaction notice, explain an adverse decision within 30 days, allow correction of inaccurate personal data, and provide meaningful human review — creating overlapping obligations for Colorado lenders.

Applicable Regulations

SB-26-189

Colorado AI Act — Automated Decision-Making Technology (SB 26-189, repeal & reenactment of SB 24-205)

enacted

On 2026-05-14 Governor Polis signed SB 26-189, which repeals and reenacts the Colorado AI Act (originally SB 24-205). The new law abandons the risk-management / annual-impact-assessment model and replaces it with a disclosure-and-notice framework governing "automated decision-making technology" (ADMT) that makes or substantially influences "consequential decisions" (education, employment, housing, financial services, insurance, healthcare, government services). The statute formally takes effect 2026-08-12 (no safety clause), but all substantive compliance obligations — for both deployers and developers — begin 2027-01-01, which is the operative date for regulated businesses; the Attorney General's implementing rules are also due by 2027-01-01. The AG has stated he will not enforce until the mandatory rulemaking process concludes.

Key Requirements

Interaction Notice Deployers must give clear notice at the point of interaction when a consumer interacts with an automated decision-making technology (ADMT)
Adverse-Outcome Disclosure Provide a plain-language explanation within 30 days of an adverse consequential decision made or substantially influenced by an ADMT
Data Correction Right Allow consumers to request correction of factually incorrect personal data used by the ADMT
Meaningful Human Review Provide meaningful human review and reconsideration after an adverse consequential decision
Developer Documentation Developers must supply technical documentation (intended uses, known harmful uses, training-data categories, known limitations and risks, and instructions enabling meaningful human review), notify deployers of material updates, and retain compliance records for 3+ years. Like all duties under the act, these obligations begin 2027-01-01
Effective: 2027-01-01 Penalties: Enforced exclusively by the Colorado Attorney General; violations are treated as deceptive trade practices under the Colorado Consumer Protection Act. Before enforcement the AG must give 60 days' written notice and an opportunity to cure; this cure right sunsets 2030-01-01, after which enforcement may be immediate. The AG has stated no enforcement will occur until the mandatory rulemaking process concludes.

Industry Context

Financial Services & Fintech

Banks, credit unions, investment firms, fintech companies, and financial advisors that deploy AI for credit decisioning, underwriting, portfolio management, fraud detection, and customer engagement. These firms face overlapping state AI obligations and federal financial regulations (ECOA, FCRA, Dodd-Frank), creating a layered compliance environment where state AI laws add requirements on top of — not in place of — existing federal frameworks.

Typical Compliance Gaps

No disparate impact testing of AI credit or underwriting models beyond federal minimums
No state-level AI disclosure to consumers about automated financial decisions
Lack of documentation mapping AI model outputs to specific adverse actions
Assumption that federal banking compliance satisfies state AI law obligations

Full State Analysis

Colorado AI Regulations

Where this lands operationally

Gridex turns the compliance or coverage question into operated workflow controls: intake, review points, audit trails, and the places a person stays in the decision.

Governed AI DeploymentRun AI inside real work with audit trails, human review points, and the operating controls underwriters and regulators expect.Managed Intake & QualificationCapture, qualify, and route incoming work with disclosure, consent, and human review built into the intake step.

Map This Workflow With Gridex

Use this research to identify the workflow, review points, and operating controls that would matter in your organization.

Map This Workflow With Gridex

Related Questions

  • What AI rules apply to financial services in Colorado? Under Colorado's AI Act (reenacted by SB 26-189; obligations begin 2027-01-01), financial services is an enumerated consequential-decision category — meaning ADMT used in lending, credit underwriting, or insurance decisions triggers the full set of deployer duties: (1) interaction notice at the point of consumer contact; (2) adverse-outcome disclosure within 30 days of an adverse decision; (3) allow correction of factually incorrect personal data used by the ADMT; and (4) meaningful human review and reconsideration after an adverse decision. Impact assessments and 'high-risk AI system' classification from SB 24-205 no longer apply in Colorado.
  • What are the Colorado AI Act consumer notice requirements? Under Colorado's AI Act as reenacted by SB 26-189 (obligations begin 2027-01-01), ADMT deployers have two distinct notice duties: (1) interaction notice — clear notice at the point of interaction when a consumer interacts with an ADMT; and (2) adverse-outcome disclosure — a plain-language explanation delivered within 30 days when an ADMT makes or substantially influences an adverse consequential decision. The prior SB 24-205 'proximate cause' and pre-decision notice framing no longer applies.
  • Which states give consumers the right to appeal AI decisions? Colorado's AI Act (SB 26-189, which repealed and reenacted SB 24-205) gives consumers meaningful human review and reconsideration after an adverse consequential decision made or substantially influenced by an automated decision-making technology (ADMT). Connecticut SB-1103 similarly provides the right to appeal adverse decisions made by high-risk AI systems and request human review.
  • What AI governance do financial services firms need? Financial services firms need AI governance covering model risk management, fair lending compliance for AI-driven decisions, and documentation of AI decision-making processes for regulatory examination. Financial services is a covered 'consequential decision' area under Colorado's AI Act (SB 26-189, which repealed and reenacted SB 24-205): a firm using automated decision-making technology must give interaction notice, disclose an adverse decision within 30 days, let consumers correct inaccurate personal data, and provide meaningful human review — replacing the prior impact-assessment requirements.
Disclaimer: This content is provided for informational purposes only and does not constitute legal advice. AI regulations and insurance policy terms change frequently. Consult with a qualified attorney or insurance professional for advice specific to your situation. Gridex makes no warranties regarding the accuracy or completeness of this information.