Federal & EU panel
A fixed (non-state-dependent) panel summarising the federal financial-services frameworks and the EU AI Act's Annex III as it applies to insurance and credit. Each entry carries its own last_verified date.
Federal — United States
CFPB — Adverse-Action / ECOA Guidance on AI Credit Decisions
- Status
- Adopted
- Sector
- Lending / fintech
- Effective date
2023-09-19- Last verified
2026-07-08- Primary source
- Primary source ↗
CFPB's September 2023 circular (and the underlying ECOA / Regulation B) requires lenders to provide specific and accurate reasons for adverse actions even when the decision was made by a complex algorithm or 'black-box' ML model. The 'no black-box' rule survived CFPB's April 2026 narrowing of disparate-impact enforcement. Lenders using AI/ML in credit decisions must be able to identify the principal reasons for denial to applicants.
OCC / Federal Reserve / FDIC — Interagency Model Risk Management Guidance (April 2026, replacing SR 11-7)
- Status
- Adopted
- Sector
- Lending / fintech
- Effective date
2026-04-01- Last verified
2026-07-08- Primary source
- Primary source ↗
In April 2026 the OCC, Federal Reserve, and FDIC jointly replaced the 2011 SR 11-7 model-risk guidance with updated interagency guidance that explicitly addresses AI/ML, third-party model risk, and ongoing monitoring. The new guidance is the federal floor for any bank or insured depository using AI in credit, fraud, AML, or any other model-driven decision. SR 11-7 itself was rescinded, not amended.
European Union
EU AI Act — Annex III (credit scoring, life/health insurance risk-pricing)
effective_date. The Digital Omnibus deferral (agreed May 7, 2026, not yet law as of this row's last_verified) is flagged in the summary — confirm at the time of any action.- Status
- Pending adoption
- Sector
- Both
- Effective date (current law)
2026-08-02- Last verified
2026-07-08- Primary source
- Primary source ↗
Annex III of the EU AI Act classifies AI systems used for credit scoring and life/health insurance risk-pricing as 'high-risk,' triggering the full Chapter III obligations (risk management, data governance, technical documentation, human oversight, conformity assessment, post-market monitoring). The current-law enforcement date is August 2, 2026. A proposed Digital Omnibus deferral (agreed May 7, 2026, not yet law at the time of this row) would push the date to December 2, 2027 — track both and confirm at the time of action.