FinQub
Regulation · Reg B / ECOA

Regulation B / ECOA – Equal Credit Opportunity Act

Fair-lending obligations on every credit decision: prohibited bases, the three theories, adverse-action notices, and the AI-underwriting expectations the CFPB has codified.

Updated May 2026·8 min read

Regulation B (12 CFR Part 1002) implements the Equal Credit Opportunity Act, 15 U.S.C. § 1691 et seq. It prohibits discrimination in any aspect of a credit transaction on prohibited bases and creates affirmative obligations around adverse-action notices, monitoring data, and fair-lending program design. ECOA enforcement is the primary fair-lending vector for non-mortgage credit. The CFPB administers Regulation B; the federal banking agencies, the FTC, and the DOJ share enforcement authority.

Prohibited bases

ECOA prohibits discrimination on the basis of:

  • Race or color
  • Religion
  • National origin
  • Sex (including sexual orientation and gender identity, per CFPB interpretation)
  • Marital status
  • Age (with limited exceptions for certain credit-scoring uses)
  • Receipt of public-assistance income
  • The good-faith exercise of rights under the Consumer Credit Protection Act

Three theories of discrimination

Regulation B and federal fair-lending caselaw recognize three theories under which discrimination is found:

  • Overt discrimination – express different treatment based on a prohibited basis. Rare but unambiguous.
  • Disparate treatment – similarly situated applicants treated differently because of a prohibited basis. Proven by direct evidence or by inference from comparators.
  • Disparate impact – a facially neutral policy or practice has a disparate effect on a protected class without a sufficient business-justification defense. The CFPB and DOJ regularly bring disparate-impact cases.

Adverse-action notices

When a creditor takes adverse action on a credit application or an existing account, Regulation B § 1002.9 requires written notice to the applicant within 30 days of the action (60 in some circumstances). The notice must include the action taken, the ECOA antidiscrimination notice, and either specific reasons for the adverse action or notice of the right to request reasons within 60 days.

FCRA layers a separate adverse-action obligation when a consumer report informed the decision. The two notices are usually combined into a single document, but the underlying obligations are independent. A missing element under either statute is a separate violation.

Algorithmic underwriting

The CFPB's 2022 and 2023 circulars on adverse-action notices for AI underwriting reinforced that ECOA obligations apply in full when models are used in credit decisions. Specific and accurate reasons are required even when the model is complex. Vague or post-hoc reason codes that do not reflect the actual driver of the denial are themselves violations. Disparate-impact analysis applies to model outputs as much as to manual underwriting; "the model said no" is not a defense.

Evidence examiners want

  • Documented fair-lending program with senior-management oversight
  • Periodic disparate-treatment and disparate-impact testing of underwriting, pricing, servicing
  • Adverse-action notice templates with version history
  • Per-decision adverse-action notice records linked to the underlying decision and the model or report that produced it
  • Training records covering frontline staff and decision-makers
  • Complaint review with linkage between complaint themes and program changes
  • Vendor-oversight evidence for every third party that participates in credit decisions
  • For models: model-risk-management documentation, fairness testing, reason-code calibration

Common Regulation B failure modes

  • Generic adverse-action reason codes that don't match the actual driver of the denial
  • Failure to issue an adverse-action notice when the applicant did not formally complete an application but was effectively rejected through pre-screening
  • Disparate-impact effects from a marketing channel, eligibility filter, or pricing rule that the program never tested
  • Spousal-signature requirements that violate § 1002.7
  • Pricing variation by geography that maps to protected-class effects without a documented business justification

Each of these has driven enforcement actions in the past five years. None of them require any malice on the part of the creditor – the standard is the practice and its effect, not the intent.

How FinQub supports Regulation B compliance

FinQub records every credit-decisioning event with the policy ID and version that produced it, the model output where applicable, and the consumer record. Adverse-action notices are linked to the underlying decision with the reason codes that were actually applied – not generic post-hoc codes. Demographic data collected for monitoring purposes is segregated and not surfaced to decisioning workflows.

Examiner walkthroughs of disparate-treatment and disparate-impact testing draw evidence from the same hash-chained audit trail used for every other compliance program. The trail makes the actual operation of the program – including the changes that responded to internal testing or complaints – auditable across the program lifecycle.

Keep reading

Frequently asked questions

Stop building your orchestration layer. Start running on it.

Let's talk about what FinQub looks like for your stack – which tools you're running, where the pain is, and how quickly you can eliminate it.

Not ready to book a call? Apply for the Partner Program →