29 September 2023 |

The CFPB Creates New Adversity for Lenders

By Alex Johnson

Last week, the CFPB issued some new guidance:

Today, the Consumer Financial Protection Bureau (CFPB) issued guidance about certain legal requirements that lenders must adhere to when using artificial intelligence and other complex models. The guidance describes how lenders must use specific and accurate reasons when taking adverse actions against consumers. … This requirement is especially important with the growth of advanced algorithms and personal consumer data in credit underwriting. Explaining the reasons for adverse actions help improve consumers’ chances for future credit, and protect consumers from illegal discrimination.

This news didn’t exactly make waves in the fintech ponds that I spend most of my time in.

Understandable. Adverse action notices are a rather dry and uninteresting subject to most people. Plus, this hasn’t been an area of financial services regulation that has seen much activity or debate over the last 50 years.

But that’s changing (thanks to the CFPB) … and while most people don’t really care, I can tell you that financial services lawyers do care. They care passionately!

When I asked on social media if there was a lawyer familiar with adverse action with whom I could speak, I received an avalanche of responses. And the resulting conversations were really interesting! 

Adverse action is an area we should all be paying attention to.  

What are adverse action notices?

First things first, let’s define what we’re talking about here. 

An adverse action notice (AAN) is an explanation that a lender is required to give to a consumer if the lender denies that consumer for a credit product or takes other “adverse actions” such as offering them less favorable terms.

Adverse action notices are mandated by both the Fair Credit Reporting Act (FCRA), a law passed in 1970, that governs the collection and use of consumer credit information, and the Equal Credit Opportunity Act (ECOA), a law passed in 1974 that was designed to prevent lenders from discriminating against borrowers.

The purpose of adverse action notices is to both discourage discriminatory lending and to assist consumers in understanding and improving their creditworthiness. Here’s how the Senate Banking Committee’s report from 1976 (when ECOA was updated) describes AANs’ intended purpose:

The requirement that creditors give reasons for adverse action is, in the Committee’s view, a strong and necessary adjunct to the antidiscrimination purpose of the legislation, for only if creditors know they must explain their decisions will they effectively be discouraged from discriminatory practices. Yet this requirement fulfills a broader need: rejected credit applicants will now be able to learn where and how their credit status is deficient and this information should have a pervasive and valuable educational benefit. Instead of being told only that they do not meet a particular creditor’s standards, consumers particularly should benefit from knowing, for example, that the reason for the denial is their short residence in the area, or their recent change of employment, or their already over-extended financial situation. In those cases where the creditor may have acted on misinformation or inadequate information, the statement of reasons gives the applicant a chance to rectify the mistake.

“This information should have a pervasive and valuable educational benefit.”

Let’s pause for a second and appreciate what a beautiful sentiment that is. It is, in my humble opinion, one of the most uniquely wonderful characteristics of the U.S. credit system – you have the right, as a consumer, to understand why you weren’t approved for a loan and receive actionable insights for how you can improve your chances next time.

Lenders, however, aren’t quite as big of fans of adverse action.

How have lenders traditionally handled adverse action notices? 

According to Regulation B, the implementing regulation for ECOA, a lender is required to disclose their “principal reasons” for taking an adverse action. These disclosures must describe the facts that were relevant to a decision but need not provide a description of the decision‐making rules themselves.

If that sounds vague and somewhat confusing to you, you’re not alone! Lenders in the 1970s felt the same, and they expressed displeasure to lawmakers and regulators after the adverse action requirements were added to ECOA in 1976.

How, they wondered, were they supposed to boil down their complex and nuanced credit decisioning processes into a set of key reasons that could be clearly and helpfully communicated to consumers?  

As a result, the Federal Reserve Board made a change in 1985. They drafted up a series of standard forms for lenders to use and a checklist of common reasons that someone might be declined for credit. That checklist looks like this:

And, if lenders were using a broad-based consumer credit score, like the FICO Score (which was launched in 1989), to aid in their decision, there was a form for them to provide the consumer with their credit score and with the “reason codes” for why their score was what it was:

The Federal Reserve Board warned, at the time, that the checklist and forms were meant to be a helpful starting place for lenders in complying with the adverse action notice requirement, not a solution in and of themselves:

Creditors must incorporate into their forms the factors on which they actually base their credit evaluations; they should not simply reprint a model form and check a factor that most closely approximates the reason for adverse action.     

And yet, for the most part, that’s exactly what lenders did for the next 35 years – the bare minimum.

The rationale for this was fairly straightforward. Consumers that were receiving adverse action notices were, by definition, consumers that the lenders didn’t want as customers. There was no business reason to invest more than the minimum required amount in complying with the AAN requirement. Indeed, doing anything other than using the standard forms and checklist was seen as an unnecessary regulatory risk (the legal equivalent of not picking IBM). You weren’t going to get any extra credit from the prudential regulators who were concerned more with safety and soundness. And the regulator who was in charge of ECOA and FCRA compliance at the time (the FTC) was busy and not overly interested in AANs (unless lenders were doing something out of the ordinary).

So, what changed?

Well … 

Wait, do you hear that? 

Is that Rohit Chopra’s music?!? 

What is the CFPB’s concern?

The CFPB, as you likely know, was created by the Dodd–Frank Act in 2010. It is, as its name suggests, entirely focused on the protection of consumers within the financial services industry. This sets it apart from the FTC, which is focused on similar issues, but across a much wider range of industries, and prudential regulators in financial services (the Fed, the OCC, the FDIC, etc.), which are focused more on the safety and soundness of the financial system.

The reason this is important is two-fold.

First, things like adverse action notices are way more important to the CFPB than they have ever been to any other regulator. Indeed, today the CFPB is the principal regulator for all consumer finance protection regulations, including ECOA and FCRA.

Second, while the CFPB has a broad mandate and a wide range of tools in its regulatory toolbox (research, rulemaking, enforcement, supervision, press releases, etc.), they don’t get the same regular inside look at bank operations that prudential regulators, which operate annual exam cycles for the banks under their purview, get. A lot of their inputs tend to be more sporadic and specific (consumer complaints, tips from whistleblowers, etc.) 

So, what do you get when you combine an intense focus on consumer protection with a comparatively outside perspective on how banks and non-bank financial service providers are operating?

A deeply suspicious regulatory agency.

During Director Chopra’s tenure, much of that suspicion has been trained on the expanded datasets and increasingly sophisticated methods that lenders are using to evaluate prospective borrowers:

Data harvesting on Americans has become voluminous and ubiquitous, giving firms the ability to know highly detailed information about their customers before they ever interact with them. Many firms across the economy rely on these detailed datasets to power their algorithmic decision-making, which is sometimes marketed as “artificial intelligence.” The information gleaned from data analytics has a broad range of commercial uses by financial firms, including for targeted advertising and in credit decision-making.

Hence last week’s guidance, which seeks to clarify lenders’ responsibilities regarding adverse action notices given the increasing use of alternative data and AI/ML in credit decisioning.

The guidance emphasizes the following points:

  • Lenders may not rely solely on the standard checklist of reasons for adverse action notices if the reasons provided on the checklist do not reflect the principal reasons for the adverse action. In other words, close only counts in hand grenades and horseshoes.
  • The principal reasons should be an accurate reflection of the factors that caused the adverse action, regardless of whether those reasons might appear irrelevant, silly, surprising, or unfair to the consumer. What the bureau means here is that if you use the fact that the consumer types in ALL CAPS as a reason to decline them (which might be a statistically valid thing to do), then you have to tell them that and endure the consequences.
  • The principal reasons provided in the adverse action notice need to be specific. For instance, if you decline a consumer for a loan because they work as a teacher and you think that shrinking government budgets in the state they live in may cause that person to lose their job and be unable to pay, you need to tell them exactly that. No more hiding behind generic phrases like, “insufficient projected income”.   

These changes are a big deal!

What are the potential implications of the CFPB’s guidance?

First implication – this is going to create a lot of work for lenders. 

Despite what they claimed in 1976 and what they may claim today, it is possible for lenders to backward engineer their underwriting processes to distill down a list of principal reasons for adverse actions. 

Yes, even when the lenders are using AI. FinRegLab studied this exact question in great depth and found that:

There are a set of diagnostic tools that exhibit high fidelity across both simple and complex models in a specific sense. These tools are able to identify features of rejected applicants such that other applicants who have similar credit characteristics are also likely to be rejected. These tools are also able to identify features that, when changed in a favorable direction, reduce predicted default probabilities by more than randomly chosen or even closely correlated features.  

However, doing this and doing it to the exacting standards that the CFPB now apparently expects won’t be quick, easy, or inexpensive, which is annoying for lenders given that there’s no obvious business benefit to doing so.

Second implication – the CFPB’s guidance may put a strain on the educational intent behind the adverse action notice requirement.

Remember, the law requires that lenders provide rejected applicants (at their request) with a short list of reasons why they were declined. In attempting to comply with the spirit of the law – providing actionable insights to consumers for how they can improve their odds of being approved next time – lenders will often prioritize some reasons over others when compiling their lists. In its push for fidelity and specificity, the CFPB may inadvertently make adverse action notices more accurate and less useful at the same time. 

To illustrate this concern, let’s go back to the teacher example used above. If you decline someone for a loan and one of the principal reasons is her job as a teacher and the viability of that job in the state she lives in, is it accurate to list that as one of the top few reasons in the adverse action notice? Yes. Is it helpful to list that as one of the top few reasons in the adverse action notice, particularly at the expense of a different reason more related to her day-to-day financial behaviors? Eh, maybe not. After all, it’s not likely that someone is going to switch careers just to get approved for a loan. Nor do we, as a society, necessarily want to encourage that. 

Third implication – the CFPB’s guidance seems designed to discourage fintech companies’ use of alternative data.

It’s clear that the CFPB strongly suspects that lenders are using alternative data, not connected to consumers’ management of their financial obligations (i.e. not credit bureau data, bank transaction data, or rent/utility repayment data) to make credit decisions. The use of such data can be helpful in predicting defaults (there are all kinds of interesting correlations out there … waiting for a clever algorithm to notice them), but it can also very easily lead to discriminatory lending. 

For example, imagine that a lender uses device type as a variable in its underwriting, based on the logic that ownership of cheaper or older model mobile phones would be somewhat correlated with lower-income consumers who might be less able to repay a loan. From a modeling perspective, you could see the theoretical logic. But, of course, adults over the age of 40 are much more likely to own old smartphones or cheap flip phones, and adults over 40 are a protected class in the U.S., which would potentially make this underwriting variable discriminatory.

Large, sophisticated banks understand this very well and, in my experience, usually choose to forgo the use of such data in favor of staying in full compliance with Reg B. Frank Rotman, Chief Investment Officer at QED Investors and an early employee at Capital One (a lender famous for its cutting-edge credit risk analytics), made this same point on my podcast a while back:

The problem with Reg B is that the way that it is implemented is not just about disparate treatment but about the actual outcomes. So ultimately, I cannot use a lot of information in statistical models because they would result in protected classes being adversely affected by the models’ decisions. And again, there are a lot of good reasons for these regulations because of what happened in our history, but if you were to use all the data you could get to perfectly predict risk, you would actually be breaking the law.

It’s a very, very difficult topic. Almost a third-rail topic, where you have statisticians constantly trying to improve the models and looking for incremental signal, but Reg B is saying you have to pull some of that signal out because it will result in disparate treatment of protected classes.    

This makes me think that the CFPB’s focus on AI, algorithmic underwriting, and adverse action isn’t so much about banks, but rather about fintech lenders (and the partner banks that enable them).

I know for a fact that there are fintech lenders that are using data variables in their underwriting algorithms that large banks would never even consider using, due to the associated compliance risks. This presents a fair lending concern for regulators. Prudential regulators are coming at this problem by looking for third-party risk management failures by banks that partner with fintech lenders (see the recent consent order between the FDIC and Cross River Bank for an example). It appears to me that the CFPB is attacking this problem from the other end, by requiring fintech lenders to disclose more specific declination reasons that might indicate the use of concerning data variables.

Fourth and final implication – the CFPB’s guidance may make it easier for consumers and fraudsters to game lenders’ underwriting processes.     

I would say that a majority of lenders’ motivation for not going beyond the CFPB’s standard checklist and forms for adverse action is laziness. They just don’t want to put in any more work than they are required to.

However, a lesser-but-still-very-legitimate motivation for sticking with the generic checklists and forms is the desire to not make it easier for applicants to game the system than absolutely necessary.

Go back to the typing in ALL CAPS example. That might be a statistically useful variable for predicting credit risk (set aside the potential fair lending issues), but it’s absolutely not one that you can share with consumers in an adverse action notice. It’s correlation, not causation. 

If you tell a consumer that they were declined because they had too many late payments, they can’t hurt you with that information because the logical action they would take in response (paying on time) would actually make them a better credit risk. If you tell them it was because they typed in ALL CAPS, the resulting action (typing with the proper capitalization) would make them look better to your algorithm without actually representing a meaningful change in their creditworthiness.

Fraud is a much bigger and more serious version of this same problem. 

If you give fraudsters a hyper-specific list of the reasons why they failed to steal money from your company, all you are doing is encouraging them to give it another go and improving their odds of success. It would be like the coach of a football team walking over to the opposing locker room during halftime and handing his counterpart his breakdown of the game film and list of planned adjustments.

Synthetic identity fraud, which is designed not to run afoul of a lot of the traditional ID verification and fraud prevention steps that commonly precede the credit decisioning process, is a particularly big challenge in this respect. 

It’s unclear, from reading the CFPB’s guidance, how seriously they view this concern.   

Is adverse action actually an opportunity?

I want to end this essay by taking a step back and looking at the big picture.

The CFPB’s guidance on adverse action notices is really just an attempt to try to get lenders to invest more in a thing that lenders don’t see any ROI in.

But what if lenders are wrong?

Let’s set aside new-to-bank applicants and fraudsters. I tend to agree with banks that those two segments aren’t worth investing in when it comes to creating richer and more useful adverse action notices. And I would, if I were them, look for opportunities to challenge the CFPB’s rather aggressive interpretation of Reg B on these fronts.

Having said that, I think banks are missing an opportunity.

What do banks do today when an existing customer, a customer that they value, applies for a loan and is rejected?

They do the same thing they do with everyone else – offer them a generic and not-overly-helpful adverse action notice! 

There is no VIP treatment. There is no white-glove customer service or Credit Karma-like experience trying to help them understand, truly understand, why they were rejected and how to improve their creditworthiness. There is no Miracle on 34th Street-style offer saying, “We’re so sorry we couldn’t approve you for this loan, but we deeply value you as a customer, and we would suggest that you apply for loans from these other banks where you might have better luck.” Shit, given the siloed nature of most banks, I’ll bet the average digital lending process isn’t even aware when a new applicant is an existing customer of the bank!     

This is absurd. These are valued customers. Their identities can be authenticated, so banks know there’s no risk of fraud. These customers are asking for help to do something (earn rewards, buy a car, refinance debt, etc.) Why, once they are declined, do their banks show no interest in helping them? Have banks not been paying attention to the explosion of fintech products focused on credit building? Do they not see the opportunity to build a better, friendlier credit on-ramp for their own customers?

The CFPB is ushering in a world in which customer retention will become infinitely more important than it is today. The bureau’s guidance on adverse action notices is an opportunity to start preparing for that world.