WARRANT
[email protected] Open the demo →
ENTRY № 34 · STATUTORY READING · CFPB · ECOA REG B
PUBLISHED 2026-05-11 · ~11-MIN READ · WARRANT COMPLIANCE

CFPB AI guidance, line by line.

The Consumer Financial Protection Bureau has not passed a dedicated AI statute. It has done something narrower and harder to defeat. It has read the existing statutes back over the algorithm. Circular 2022-03 reads ECOA Regulation B back over the black-box credit model. The June 2023 issue spotlight reads UDAAP back over the deployed chatbot. The June 2024 interagency rulemaking reads nondiscrimination back over the automated valuation model. Penalty exposure under 12 U.S.C. 5565 reaches USD 1,000,000 per day for knowing violations of Federal consumer financial law.

Warrant is regulator-grade evidence infrastructure for AI agents in regulated industries: drop an agent's execution trace, get a record mapped to a specific EU AI Act obligation, independently verifiable without contacting Warrant.

REGULATOR
CFPB
Consumer Financial Protection Bureau. Created by Dodd-Frank Title X (2010), codified at 12 U.S.C. 5491.
KEY CIRCULAR
2022-03
ECOA adverse-action notices when using complex algorithms. Effective 2022-05-26.
PENALTY
USD 1M/day
Per 12 U.S.C. 5565 third-tier civil penalty for knowing violations. Plus consumer restitution.
01 · THE CFPB STACK

The Bureau, its statutory authority.

The Consumer Financial Protection Bureau was created by the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, Title X, codified at 12 U.S.C. 5491. The statutory grant is broad. The Bureau regulates the offering and provision of consumer financial products and services under the Federal consumer financial laws, an enumerated list at 12 U.S.C. 5481(14) that includes the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Truth in Lending Act, the Real Estate Settlement Procedures Act, and the Consumer Financial Protection Act itself.

The Bureau has four operative levers. Rulemaking under 12 U.S.C. 5512. Supervision of covered persons under 12 U.S.C. 5514 and 5515. Enforcement under 12 U.S.C. 5564. And interpretive guidance via consumer financial protection circulars, supervisory highlights, and advisory opinions. The AI stack the Bureau has built since 2022 runs almost entirely on the fourth lever.

Circulars are not rules. The Bureau styles them as policy statements that articulate the Bureau's interpretation of how existing law applies. They do not impose new obligations. They do not require notice-and-comment. They are admissible as the agency's reasoned position. A covered person that disregards a circular still faces the underlying ECOA, UDAAP, or FCRA exposure the circular describes. The exposure was already there. The circular tells you where it sits.

"Companies are not absolved of their legal responsibilities when they let a black-box model make lending decisions."Rohit Chopra · CFPB Director · 2022-05-26

The AI guidance perimeter as of May 2026 has four operative documents and one final rule. Circular 2022-03 on adverse-action notices and complex algorithms, effective 26 May 2022. The June 2023 issue spotlight Chatbots in consumer finance, published 6 June 2023. The Bureau's broader UDAAP and fair-lending statements 2023 to 2025. The interagency Quality Control Standards for Automated Valuation Models final rule, published in the Federal Register 7 August 2024, effective 1 October 2025. And Circular 2024-06 on background dossiers and algorithmic scores, dated 24 October 2024.

Penalty exposure runs through 12 U.S.C. 5565. The three-tier structure is the operative ceiling. Five thousand dollars per day for any violation of Federal consumer financial law. Twenty-five thousand per day for reckless violations. One million per day for knowing violations. The amounts are adjusted annually for inflation under 28 U.S.C. 2461. Each day a noncompliant AI system processes a covered transaction is a separate violation.

02 · CIRCULAR 2022-03

ECOA adverse-action notices when AI is used.

ECOA and Regulation B do not permit creditors to use complex algorithms when doing so means they cannot provide the specific and accurate reasons for adverse actions. A creditor cannot justify noncompliance with ECOA and Regulation B's requirements based on the mere fact that the technology it employs to evaluate applications is too complicated or opaque to understand. CFPB Circular 2022-03 · question presented · 26 May 2022

The circular asks one question and gives one answer. The question is whether ECOA's adverse-action notification requirements apply when a creditor uses a complex algorithm such that the creditor cannot accurately identify the specific reasons for denying credit. The answer is yes. The use of a complex algorithm is not a defence. The opacity of the model is a problem for the creditor, not for the applicant.

The underlying obligation sits at 12 CFR 1002.9. Paragraph (a)(2)(i) requires that the adverse-action notice contain a statement of specific reasons for the action taken. Paragraph (b)(2) requires that the statement of reasons be specific and indicate the principal reasons for the adverse action. The official commentary to Regulation B has long rejected generic explanations. The commentary names two patterns that fail. A statement that the applicant did not meet the creditor's internal standards. A statement that the applicant failed to achieve a qualifying score on the creditor's scoring system. Either is a per se violation.

Circular 2022-03 extends the commentary to the algorithmic case. The reason given to the applicant must name the actual factors that influenced the adverse decision. A creditor that uses a model trained on hundreds of features and outputs a probability score cannot satisfy Regulation B by reporting the score. The creditor must report the principal variables that drove the score down. If the model architecture does not permit that extraction, the model is not deployable in adverse-action territory. The Bureau frames the burden on the creditor to build a model from which reasons can be drawn.

The operative engineering pattern that satisfies Circular 2022-03 has three parts. The creditor records, per decision, the input feature vector at the level of the named variables. The creditor records the output score or class. The creditor records, per decision, the principal reasons extracted from the model, in plain language. The reasons are not generated retroactively. They are persisted at the moment the decision is made, in the same trace as the decision.

A common failure pattern. The creditor uses an LLM-based agent to summarise an application package and produce a recommendation. The LLM returns natural-language output. The downstream rules engine converts the output to an approve, deny, or refer-to-human disposition. The audit trail records the LLM output. It does not record the principal-reason extraction. When the regulator asks how reason A versus reason B was selected on a given denied application, the answer must trace back to the recorded LLM context, not to a separate post-hoc reason model that was not in the decision path.

03 · 2023 CHATBOT SPOTLIGHT

Chatbots and UDAAP exposure.

Customers turn to their financial institutions for assistance with financial products and services and rightfully expect to receive timely, straightforward answers, regardless of the processes or technologies used. As financial institutions continue to integrate AI technologies into their operations, the inability to address consumer questions and the diminished quality of customer service are likely to grow. CFPB Issue Spotlight · Chatbots in consumer finance · 6 June 2023

The June 2023 issue spotlight is not a circular and not a rule. It is the Bureau signalling its supervisory priorities. The document is short. It identifies four risk vectors and routes each through statutory consumer-protection law.

RISK 01
Deficient pathways to human support. Chatbots that cannot escalate, that loop, or that bury the human channel. STATUTORY ROUTE · UDAAP under 12 U.S.C. 5536. Failure to provide a meaningful path to dispute resolution is a potential unfair practice.
RISK 02
Inaccurate, incomplete, or fabricated responses. The Bureau names hallucinations and the consequences of providing wrong information about an account, a fee, or a regulatory right. STATUTORY ROUTE · UDAAP deceptive prong. A representation that is likely to mislead a reasonable consumer is a deceptive act regardless of intent.
RISK 03
Mishandling of complaints and disputes. Chatbots that route a Reg E error claim or a Reg Z billing-error notice into a dead end. STATUTORY ROUTE · Reg E 12 CFR 1005.11 and Reg Z 12 CFR 1026.13 have specific timelines. Failure to honour them through a chatbot channel does not extinguish the obligation.
RISK 04
Privacy and security gaps. Disclosure of sensitive information to the wrong session, persistence of conversation logs without retention controls. STATUTORY ROUTE · GLBA Safeguards and the Bureau's UDAAP-data-security position articulated in Circular 2022-04.

The supervisory implication is that a deployed financial-services chatbot is not outside the four perimeters above merely because the institution did not build the model. A bank using a third-party LLM for a customer-facing channel is the covered person for UDAAP purposes. The Bureau treats hallucination not as a model property but as a deceptive practice the institution disseminated.

The operative engineering pattern for a defensible chatbot deployment has four parts. A factuality check on every customer-facing response, recorded in the trace. A typed escalation event whenever a session crosses a defined complexity or topic boundary. An immutable record of every complaint or dispute initiated through the channel, time-stamped and routed to the same queue as written complaints. A privacy-disclosure record per session covering what the chatbot was told and what it disclosed.

04 · LEP ACCOMMODATIONS

Limited English Proficiency and AI.

The Bureau's position on limited-English-proficiency consumers has been articulated through multiple statements since 2017 and is not a dedicated AI rule. The operative text is the January 2021 statement on financial institutions providing services to consumers with limited English proficiency, which sets a compliance and risk perimeter for non-English-language consumer communications. The Bureau has not, in this author's reading as of May 2026, issued a dedicated AI-and-LEP advisory opinion. [verification pending on any later dedicated LEP-and-AI advisory; the 2021 statement remains the operative LEP guidance.]

What the 2021 statement implies for an AI agent is direct. If the institution markets a product to LEP consumers in a non-English language, the digital channel must honour the same language commitments as the human channel. An LLM-based chatbot that operates in English by default but is offered to Spanish-speaking customers must either provide a substantively equivalent Spanish experience or be explicitly scoped out of Spanish-language consumer engagement. A bilingual agent that produces Spanish marketing but routes complaint resolution to an English-only flow is a candidate UDAAP exposure.

The Bureau has also flagged translation quality as an actionable risk vector. A machine-translated disclosure that materially alters the meaning of a Reg Z right or a Reg DD term sheet is, on the Bureau's reading, a candidate deceptive practice. The institution does not get a defence on the basis that the LLM produced the translation. The institution is the discloser.

The operative engineering pattern. Record the language of every consumer interaction in the trace. Record the source language of every disclosure rendered to the consumer and any translation step applied. Record the human or model that produced the translation. Record, where applicable, the back-translation verification step.

05 · AVM COLLATERAL RULE

Automated valuation models and nondiscrimination.

The agencies are issuing a final rule to implement the quality control standards mandated by the Dodd-Frank Wall Street Reform and Consumer Protection Act for the use of automated valuation models by mortgage originators and secondary market issuers in determining the collateral worth of a mortgage secured by a consumer's principal dwelling. Federal Register · 89 FR 64538 · published 7 August 2024 · effective 1 October 2025

This is the only AI-specific final rule on the CFPB stack as of May 2026, and the CFPB is one of six issuing agencies. The Federal Reserve Board, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the National Credit Union Administration, the Federal Housing Finance Agency, and the CFPB jointly adopted the rule under the authority of section 1125 of the Financial Institutions Reform, Recovery, and Enforcement Act, added by Dodd-Frank section 1473(q).

The rule imposes five quality-control standards on any institution that uses an AVM in connection with making a credit decision or covered securitisation determination secured by a consumer's principal dwelling. Confidence in the estimates produced. Protection against data manipulation. Avoidance of conflicts of interest. Random sample testing and reviews. And compliance with applicable nondiscrimination laws.

The fifth standard is the AI-specific one. The Bureau and its sister agencies were explicit that AVMs trained on historical valuation data risk replicating historical discrimination in property valuation. The rule does not specify a particular fairness test. It requires the institution to have policies, practices, procedures, and control systems that are designed to ensure the AVM complies with nondiscrimination laws. The Fair Housing Act, the Equal Credit Opportunity Act, and the disparate-impact doctrine in Texas Department of Housing v. Inclusive Communities apply.

The operative engineering pattern for an AVM deployment after 1 October 2025. Record, per valuation, the AVM model identifier and version. Record the input feature set and the geographic context. Record the output and any human override. Record, on a periodic basis, the disparate-impact testing results, the corrective actions taken, and the documentation of nondiscrimination compliance reviews. The record is the institution's defence in any fair-lending examination.

06 · 2024-2025 STATEMENTS

2024 and 2025 statements on AI in lending.

The Bureau supplemented the 2022-2023 guidance with two additional documents in 2024. Circular 2024-06, dated 24 October 2024, addresses background dossiers and algorithmic scores used in hiring, promotion, and other employment decisions. While employment is not strictly consumer lending, the circular's reasoning on algorithmic-score outputs and the Fair Credit Reporting Act is structurally identical to the credit case. A score from a third-party algorithm used in an employment adverse action is a consumer report under the FCRA, and the user has notice and accuracy obligations.

The Bureau has also issued statements on AI in mortgage origination through its supervisory highlights and through the joint regulator statement on consumer-financial-services use of AI, signed by the CFPB, the FTC, the Department of Justice Civil Rights Division, and the Equal Employment Opportunity Commission on 25 April 2023. The joint statement is short and operative. Existing legal authorities apply to the use of automated systems and innovative new technologies, just as they apply to other practices.

The 2024 and 2025 supervisory highlights have included findings on AI-driven account-closure practices, AI-driven debt-collection scripts, and AI-driven adverse-action notices produced by third-party model providers. The pattern in each finding is consistent. The Bureau looks for the same artefacts ECOA, FCRA, and UDAAP have required for forty years. The fact that the artefact was produced by an AI system is not a defence; it is a description of how the violation occurred.

07 · CROSS-REFERENCE WEB

CFPB, the Fair Housing Act, and the UDAAP perimeter.

The CFPB's AI guidance does not operate in isolation. Three other statutory perimeters attach to the same fact pattern. The Fair Housing Act, 42 U.S.C. 3601 and following, prohibits discrimination in residential real-estate transactions. ECOA, codified at 15 U.S.C. 1691 and implemented in Regulation B at 12 CFR Part 1002, prohibits discrimination in any aspect of a credit transaction. UDAAP, codified at 12 U.S.C. 5531 and 5536, prohibits unfair, deceptive, or abusive acts and practices.

The cross-reference web matters because the same AI deployment routinely touches all three. An AI mortgage-underwriting agent is subject to ECOA on the credit decision, the Fair Housing Act on the housing element, and UDAAP on every customer-facing communication. A finding under one statute does not preclude findings under the other two. The Department of Justice and HUD enforce the Fair Housing Act in parallel. State attorneys general enforce ECOA and UDAAP under 12 U.S.C. 5552.

The argument that AI opacity is a defence does not survive any of the three perimeters. ECOA Regulation B explicitly rejects the opacity defence via Circular 2022-03. The Fair Housing Act's disparate-impact doctrine, affirmed by the Supreme Court in Texas Department of Housing v. Inclusive Communities Project (2015), does not require proof of intent; it requires proof that a facially neutral practice has a disproportionate adverse effect, and an opaque model cannot rebut the showing. UDAAP requires no scienter for the unfair or deceptive prongs.

The same chain runs through state actors. California, Colorado, New York, and Washington have each layered automated-decision-system rules over the Federal floor. The Colorado AI Act applies broadly to algorithmic decision-making in consumer contexts. The New York Department of Financial Services' fair-lending and cybersecurity rules attach to AI deployments at New York-regulated institutions. The Federal floor is not a ceiling.

08 · FIELD MAPPING

Where Warrant maps CFPB obligations.

The four operative CFPB obligations map to specific fields in the Warrant trace structure. The mapping is by-action, not by-trace, because each obligation attaches at the decision moment, not at the session moment.

REG B
12 CFR 1002.9(a)(2)(i) · statement of specific reasons for the action taken. OBLIGATION · per-decision reasons trail · FIELD · trace.actions[].adverse_action_reasons (array of named-variable reasons in plain language).
2022-03
Circular 2022-03 · the opacity defence is rejected. OBLIGATION · per-decision rationale not derivable post-hoc · FIELD · trace.actions[].decision_rationale (recorded at decision time, not at attest time).
UDAAP
12 U.S.C. 5531 · chatbot accuracy under the deceptive prong. OBLIGATION · hallucination check trail · FIELD · trace.actions[].factuality_check (model, score, threshold, decision).
LEP
CFPB 2021 LEP statement · substantively equivalent non-English experience. OBLIGATION · language-of-decision recorded · FIELD · metadata.language_disclosure (source_language, render_language, translation_path).
AVM
12 CFR Part 34 et al. (AVM final rule) · nondiscrimination quality control. OBLIGATION · per-valuation model identification plus periodic disparate-impact record · FIELD · trace.actions[].valuation_model + metadata.di_review.
W
Sample US lending evidence package · Warrant registerINDEPENDENTLY VERIFIABLE
→ /v/7de85ceaeac42a47
09 · FAQ

Questions a compliance officer asks first.

Does Circular 2022-03 apply to my lending agent?

If the agent participates in a credit decision covered by the Equal Credit Opportunity Act and Regulation B, yes. Circular 2022-03 is interpretive guidance on the existing ECOA Regulation B obligation under 12 CFR 1002.9. It binds creditors. A vendor running the model behind an API does not escape ECOA when the downstream user is the creditor of record. The creditor remains responsible for the adverse-action notice regardless of which entity hosts the inference.

What counts as a specific principal reason under ECOA?

12 CFR 1002.9(b)(2) requires a statement of reasons that are specific and indicate the principal reasons for the adverse action. The official commentary rejects generic statements such as internal standards or insufficient score. CFPB Circular 2022-03 extends that prohibition to outputs of complex algorithms. A reason that names a variable category (such as length of credit history, debt-to-income ratio, or recency of derogatory item) and the direction of its effect on the decision is the operative pattern.

Is the CFPB AI position binding or guidance?

Circulars are interpretive. They do not create new rights or obligations. They state the Bureau's interpretation of obligations that already exist under statute and regulation. A creditor that ignores a circular still faces the underlying ECOA, FCRA, or UDAAP exposure the circular describes. The circular is admissible as the agency's reasoned position in supervisory and enforcement proceedings.

How does CFPB interact with FTC and state AGs on AI consumer protection?

CFPB has primary authority over Federal consumer financial law for covered persons under 12 U.S.C. 5481. FTC retains parallel UDAP authority over most non-bank actors under section 5 of the FTC Act. State attorneys general can enforce Federal consumer financial law against non-banks under 12 U.S.C. 5552 and their own state UDAP statutes. The 25 April 2023 joint statement signed by CFPB, FTC, DOJ Civil Rights, and EEOC formalises the four-way coordination on AI deployments.

What is the CFPB position on chatbot UDAAP risk?

The June 2023 issue spotlight Chatbots in consumer finance identifies four risk vectors. Deficient pathways to human support. Inaccurate or fabricated responses. Mishandling of complaints and disputes. Privacy and security gaps. Each maps to UDAAP under 12 U.S.C. 5531 and 5536. The Bureau frames hallucinated answers as potentially deceptive acts under the statute, with no scienter requirement.

Does CFPB action on AI affect non-banks, FinTech, and NBFI?

Yes. CFPB supervisory and enforcement authority under 12 U.S.C. 5514 reaches non-bank covered persons in residential mortgage, private education lending, payday lending, and any market the Bureau designates as larger participant. The 2022 invocation of dormant supervisory authority over non-bank entities posing a risk to consumers further broadened the perimeter. A FinTech lender is the same creditor for ECOA purposes as a national bank.

How does ECOA Regulation B specific-reasons requirement work for an LLM-based agent?

The agent must produce, at decision time, a recorded artifact that names the specific principal reasons for the adverse action in plain language. If the LLM is the operative scorer, the integrating creditor must extract reasons that name a variable and its effect, not the model architecture. A trace that records the prompt, the inputs, the output, and the post-hoc reason extraction is the operative evidence pattern. The reasons must be extractable from the same decision path as the disposition, not from a separate model run later.

10 · READ THE SOURCE

Read the source directly.

Authored by Warrant Compliance, the regulatory-analysis function at Warrant. [email protected]. Editorial commentary on regulatory text. Not legal advice. The verbatim quotation of CFPB Circular 2022-03 reflects the text as published by the Bureau on 26 May 2022. The verbatim quotation of the June 2023 issue spotlight reflects the text as published by the Bureau on 6 June 2023. The Federal Register citation reflects 89 FR 64538 of 7 August 2024 implementing the AVM final rule with effective date 1 October 2025.

FILED ALONGSIDE
SIBLING · US FEDERAL
SR 11-7 and the model-risk perimeter.
The Federal Reserve's interagency model-risk supervisory guidance applied to AI agents.
SIBLING · US STATE
Colorado AI Act and CCPA ADMT.
The first state-level algorithmic-decision-system statute and the California ADMT regulations.
SIBLING · CONSUMER-PROTECTION
FCA Consumer Duty, Principle 12.
The UK Financial Conduct Authority's consumer-duty rules, the counterpart consumer-protection reading.