Disparate Impact Risk of AI Use in Underwriting
On May 9, 2019, Maxine Waters (D-CA), chairwoman of the House Committee on Financial Services, announced the creation of a Task Force on Artificial Intelligence (Task Force). The Task Force, chaired by Congressman Bill Foster (D-IL), is responsible for informing Congress on the financial services industry’s use of artificial intelligence (“AI”) and its impact on consumers, investors, and small businesses.
The Task Force held its first hearing, titled “Perspectives on Artificial Intelligence: Where We Are and the Next Frontier in Financial Services,” on June 26, 2019. The hearing highlights the increasing concerns of lawmakers on the compliance and fair lending risks associated with the usage of AI within the financial services industry.
In the hearing memorandum, the Task Force acknowledges that the use of AI offers significant benefits to consumers and financial institutions by enabling new methods to analyze consumer data and potentially expanding the availability of credit and services to individuals. Machine learning (ML), a type of AI commonly used in credit risk decisioning models, was also highlighted as a technology that can allow financial institutions to originate loans to individuals without traditional credit profiles.
While recognizing the benefits, the Task Force raised concerns about AI’s potential adverse impact on consumers. For example, it noted that certain AI techniques, like ML, can be difficult to audit as the programs update over time based on new data and learning. Under those circumstances, an institution may not be able to determine why credit decisions were made, resulting in unintended biases. Such biases could violate laws, such as the Equal Credit Opportunity Act (ECOA), that prohibit discrimination in lending.
Risks related to AI credit decision modeling have been addressed in various regulatory publications and guidances. In 2019, for example, the OCC’s Semiannual Risk Perspective stressed the importance of understanding and monitoring underwriting and pricing models to identify potential fair lending disparate impact decisioning and other fair lending issues. The publication also stated that bank management should be able to explain and defend underwriting and modeling decisions. Although AI technologies are not specifically mentioned in the OCC’s 2011-12 Supervisory Guidance on Model Risk Management, financial institutions are expected to apply that guidance in their oversight of AI credit decisioning models.
Understanding ML decisions will help financial institutions remain in compliance with ECOA, which, among other things, makes it illegal for a creditor to discriminate against an applicant on a prohibited basis regarding any aspect of a credit transaction. Fair lending disparate impact discrimination occurs when a lender’s policy or practice has a disproportionately negative impact on a prohibited basis, even though the lender may have no intent to discriminate and the practice is neutral with respect to its application. A policy or practice that has a disparate impact may violate the law, unless it meets a legitimate business necessity that cannot reasonably be achieved by a means that has less impact on protected classes. ML models may result in disparate impact if models are not monitored to ensure decisions do not have a disproportionately negative impact on consumers within a protected class.
The hearing memorandum also noted that a financial institution’s lack of understanding of credit decisioning outcomes may create challenges complying with other consumer protection regulations. For example, ECOA requires institutions to send adverse action notices stating the reason for a denial of credit. If lenders do not understand why a model denied an applicant, they may not be able to comply with ECOA’s adverse action notice requirements.
Financial institutions should validate models to mitigate fair lending risk and help ensure compliance with consumer protection regulations. This can be achieved by assessing the quality of the model design and construction, reviewing the model documentation, assessing empirical evidence, and confirming that the variable selection process used in the model is conceptually sound. Since ML model decisions can be difficult to understand, model validators should set standards for requirements of explainability so that ML models with inadequate explainability can be identified and remediated before being used in making credit decisions.
House Financial Services Committee Takes Aim at Credit Reporting Reform
In July 2019, the House Financial Services Committee passed six bills related to credit reporting reform, as part of an ongoing effort to significantly rewrite the rules around how credit reporting information is collected, used, and disclosed. A seventh bill related to credit reporting reform was reviewed by the Committee but remains pending an amendment in the nature of a substitute.
Since the Equifax data breach in 2017, there has been mounting pressure to evaluate and address industry practices related to consumer reporting and its impact on everyday consumers. Each of the seven bills would amend various elements of the Fair Credit Reporting Act (“FCRA”), which regulates consumer reporting agencies, users of consumer reporting information, and furnishers of consumer information.
While each of the seven bills varies in its stated requirements, they collectively share an intent to reform several key aspects of consumer reporting. These changes include how long certain types of adverse information may remain on a consumer report, increased disclosure of scoring model criteria and expanded protections for certain groups of consumers such as student loan borrowers, among others. Following is a brief overview of the six bills passed by the Committee:
- Improving Credit Reporting for all Consumers Act: Puts forth new requirements seeking to, among other objectives, “fix the consumer report dispute process” and “ban misleading and unfair consumer reporting practices.” These requirements include, but are not limited to: Proper and timely reinvestigation and subsequent resolution of consumer disputes, the creation of a webpage by consumer reporting agencies to disclose consumer dispute rights, record retention to substantiate the accuracy and completeness of furnished information, prohibition of auto renewals of consumer reporting and credit scoring products and services, and treating multiple credit inquiries as a single inquiry in certain instances.
- Restoring Unfairly Impaired Credit and Protecting Consumers Act: Among other key provisions, this would require that adverse information be removed from a consumer report after a shorter period (four years, instead of seven). It also proposes that fully paid or settled debts be removed from a consumer report more quickly, and an end to credit scoring models using a consumer’s participation in certain credit restoration or rehabilitation programs as a scoring factor.
- Free Credit Scores for Consumers Act of 2019: Includes a requirement that consumer reporting agencies provide a free credit score when providing a free annual consumer report requested by a consumer, as well as other requirements pertaining to the provision of free consumer reports and credit scores.
- Restricting Use of Credit Checks for Employment Decisions Act: Bans employers from using consumer reports for employment decisions other than in certain cases where the report is required by law or used in connection with a national security investigation.
- Student Borrower Credit Improvement Act: Includes various consumer reporting information requirements relating to private student loans, including a requirement that adverse information related to a delinquent or defaulted private student loan no longer be furnished if the borrower has made 9 on-time monthly payments during a 10-month period following the date of default or delinquency.
- Clarity in Credit Score Formation Act of 2019: Establishes clear federal oversight of the development of credit scoring models and directs the CFPB to, among other actions, establish standards for validating the accuracy and predictive value of scoring models before their release and periodically thereafter, conduct reviews of credit scoring models every 2 years for appropriateness of factors and factor weights, and conduct a study regarding the use of non-traditional consumer reporting data for certain consumers.
The seventh bill, Accurate Access to Credit Information Act of 2019, which has not yet passed the Committee, would require the nationwide consumer reporting agencies to develop a joint, online consumer portal landing page allowing consumers unlimited free access to consumer reports, credit scores, and dispute submissions, among other provisions.
For the six bills that passed the Committee, all passed without garnering any Republican support, which makes it unlikely that, in their current form, they would pass the Senate even is passed by the U.S. House of Representatives. However, the House Financial Services Committee’s passage of the bills serve as a reminder that credit reporting reform continues to be a hot topic on Capitol Hill. As calls for a bipartisan approach to reforming the credit reporting industry continue to be made - as evidenced by a recent bill proposed by the ranking member of the House Financial Services Committee - furnishers and users of consumer reporting information should stay abreast of any legislative developments and take the appropriate steps in preparation for any significant changes in this space.
FinCEN Updates Advisory on Email Compromise Fraud
In September 2016, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued an advisory to financial institutions (Advisory to Financial Institution on E-Mail Compromise Fraud Schemes; FIN-2016-A003) warning of the risks of a growing area of fraud referred to as “email compromise fraud.”
Such activity involves criminals using compromised email accounts to mislead businesses, including financial institutions, and their customers into conducting unauthorized wire transfers. The fraud can be perpetrated against businesses (referred to as Business Email Compromise or BEC) or individuals (referred to as Email Account Compromise or EAC). The 2016 Advisory was intended to inform financial institutions how to identify and prevent the growing problem of email compromise fraud and to address a financial institution’s suspicious activity reporting obligations when such activity is detected. In July 2018, the Federal Bureau of Investigation (FBI) reported that between October 2013 and May 2018 there were 78,617 incidents of email compromise fraud (both domestic and international) resulting in an exposed dollar loss of approximately $12.5 billion.
On July 16, 2019, FinCEN issued an update to its 2016 Advisory on email compromise fraud. The updated 2019 Advisory (Updated Advisory on Email Compromise Fraud Schemes Targeting Vulnerable Business Processes; FIN-2019-A005) alerts financial institutions of the growth in this activity and highlights key trends, including which business sectors and processes have been targeted by criminals and which jurisdictions have been most closely associated with this activity.
In a common business email compromise (BEC) scheme, a criminal illegally accesses the email account of an employee of a company and sends fraudulent instructions to the company’s financial institution to wire funds to an account controlled by the criminal. The 2019 Advisory alerts financial institutions that the top three sectors commonly targeted in BEC schemes, based on its analysis of reported activity, include manufacturing and construction (25% of reported BEC cases); commercial services (18%); and real estate (16%). The 2019 Advisory also indicates that BEC schemes have more recently been targeting non-traditional business customers such as government entities, non-profit organizations including educational institutions, and financial institutions. FinCEN reports that increasingly the initial funds transfer in a BEC scheme involve domestic, rather than international funds transfers. However, when funds are either initially or subsequently transferred from the United States, the most prominent destinations have been China, Hong Kong, the United Kingdom, Mexico, and Turkey.
The 2019 Advisory also highlights certain characteristics of business processes that are attractive to criminals when selecting a target for a BEC scam, noting that the probability of success often depends on the criminal’s knowledge of the victim’s business processes and weaknesses in authorization and authentication protocols. As such, industries with publicly available information about their organizations, including vendors, contracts, and business processes, are attractive targets. According to FinCEN, the education, real estate, and agriculture sectors have been key targets to date.
While deterring the successful execution of a BEC scheme is the primary goal of FinCEN’s guidance, the 2019 Advisory also provides guidance to institutions that have experienced an email compromise fraud. FinCEN has partnered with the FBI and other government entities and foreign counterparts to help financial institutions recover stolen funds through its Rapid Response Program (RPP). The Advisory directs financial institutions to file a complaint with the FBI’s Internet Crime Complaint Center, contact their local FBI field office or the nearest U.S. Secret Service field office to initiate the program. FinCEN advises that it has had greater success with recovering funds when victims or financial institutions report the fraudulent transactions with 24 hours.
Similar to the 2016 Advisory, the 2019 Advisory reminds financial institutions of their obligation to file Suspicious Activity Reports (SARs) on email compromise fraud regardless of whether the scheme was successful or whether the customer or financial institution incurred an actual loss. Although the 2016 Advisory addressed SAR filing in detail, the 2019 Advisory also provides additional instructions to financial institutions on SAR completion and should be consulted on a go-forward basis.
Financial institutions are encouraged to follow the FinCEN recommendations in the 2019 Advisory. Specifically, financial institutions should assess the vulnerability of their business processes to compromise and consider if there are appropriate steps within their risk management approach to strengthen controls against email compromise fraud. This could include re-evaluating processes related to authenticating participants in communications, authorizing transactions, and communicating information and changes about transactions.
Regulation CC Amendment Finalized
In November 2018, the CFPB and the Federal Reserve Board (Board) jointly issued a proposed rule to amend Regulation CC, which implements the Expedited Funds Availability Act of 1987 (EFA Act). This event was discussed in our January 2019 issue of Compliance Insights. The CFPB and Board have now jointly issued final amendments implementing the statutory requirement to adjust the amount of funds that must be made available to customers. Adjustments must be in line with inflation and will occur every five years starting July 1, 2020. The first set of adjustments has been announced as follows:
- The minimum amount of deposited funds banks must make available on the next business day (currently $200) will increase to $225;
- The minimum amount of deposited funds banks must make available in cash on the day in which the funds are available (currently $400) will increase to $450;
- Dollar thresholds which define the circumstances when a bank may use certain types of exception holds (all currently $5,000) will increase to $5,525; and,
- The $1,000 and $500,000 amounts in (civil liability) will increase to $1,100 and $552,500, respectively
In addition to the dollar threshold changes above, depository institutions should also ensure coverage is extended to American Samoa, the Commonwealth of Northern Mariana Islands, and Guam, in accordance with the Economic Growth, Regulatory Relief and Consumer Protection Act amendments to the EFA Act. Additionally, institutions should adjust the configuration of their deposit systems, whether in-house or via third parties, and update relevant component of their compliance management systems (CMS), such as policies, processes, procedures, systems, and training. Institutions should be prepared to update their funds availability disclosure and lobby postings, and provide a 30-day notice to customers related to these changes in the availability of funds.
The Bureau Releases Fair Lending Report Outlining Its Activities
In June 2019, the Consumer Financial Protection (CFPB or Bureau) released its seventh annual Fair Lending Report (Report). An annual report on the CFPB’s fair lending activities is required to be submitted to Congress pursuant to Section 1013(c)(2)(D) of the Dodd Frank Wall Street Reform and Consumer Protection Act. Since the Report is a summary of the Bureau’s prior activity, much of the subject matter has been previously addressed in regulatory publications, including Compliance Insights. However, the Report does provide an effective annual point of reflection to remind compliance officers and others impacted by fair lending obligations of where regulatory priorities have been, and to some extent, where they are likely to go.
The Report states that, in 2018, the CFPB focused its fair lending supervisory and enforcement activity on mortgage lending, small business lending, and student loan servicing. Evaluating mortgage and small business loans for redlining was also a high priority and the Report indicates that this will likely be a continuing area of focus. The Bureau also notes that, as a result of its 2018 annual risk-based prioritization process, it identified new fair lending focus areas which include student loan origination, debt collection and the use of models that predict recovery outcomes.
Regarding enforcement actions, the CFPB indicates it opened several fair lending-related investigations in 2018; however, notably, it did not issue any fair lending-related enforcement actions. The Report also indicates that none of the other 11 administrative agencies with ECOA enforcement authority brought public enforcement actions in 2018 for ECOA violations. This represents the first year, starting with 2012, in which no public ECOA enforcement action was issued.
In addition to bringing public enforcement actions, the CFPB and other banking agencies are also required by ECOA to refer any potential discrimination violations to the Department of Justice (DOJ) for review and consideration. The Report reflects the number of referrals made to the DOJ for each year since 2012 with only one referral being made in 2018. This is significantly lower than in prior years in which the number of referrals ranged from 11 to 24.
Although the number of enforcement actions and referrals to DOJ have decreased in recent years, fair lending oversight still appears to be a high priority for the CFPB and other banking agencies. Effective policies and procedures should be implemented to ensure compliance with fair lending rules and regulations. Financial institutions should develop fair lending risk monitoring programs that identify trends in underwriting and pricing at the institution and evaluate whether such trends pose fair lending risk to the financial institution. Lastly, fair lending self-assessments should be considered to ensure the fair lending program is commensurate with the size, complexity, and products or services offered by the financial institution.