Artificial intelligence has arrived in the private lending shop. It is screening intake, drafting loan documents, answering borrower questions at midnight, and, in a growing number of operations, helping decide who gets funded. The pitch from every vendor is the same: hire an “AI employee,” cut headcount, close faster.
Here is the part the pitch leaves out. The moment a tool processes a borrower’s information
and helps make a lending decision, it stops being a productivity gadget and becomes a
regulated activity. Two state compliance deadlines land on January 1, 2027. Federal
enforcement looks quiet right now, which is precisely the conditions under which lenders get
comfortable and then get sued. This article maps the privacy and lending rules that actually
apply to AI in a private lending business, and then walks through where AI earns its keep
and where it creates exposure.
The trap: federal quiet is not the same as legal safety
Start with the temptation to do nothing. The Consumer Financial Protection Bureau has
pulled back hard. In April 2026 the Bureau finalized a rule eliminating disparate impact
analysis under the Equal Credit Opportunity Act, limiting its own enforcement to cases with
direct evidence of intentional discrimination. Supervision and examinations have been
scaled back across the federal banking agencies. If your only question is “will a CFPB
examiner walk through my door,” the honest answer in 2026 is probably not
That is the trap. Three things did not go away when the federal posture softened:
- The statutes are still on the books. ECOA, the Fair Housing Act, the Fair Credit
Reporting Act, and the Gramm-Leach-Bliley Act all still bind you. A change in one
agency’s enforcement appetite does not repeal a federal statute. - Private plaintiffs still sue. ECOA carries a five year statute of limitations and a private right of action. A discriminatory outcome from your underwriting model in 2026 is
litigable into 2031, regardless of who is running the Bureau by then. - The states moved in. State attorneys general are openly filling the gap, in several cases
by hiring the same staff who left the federal agencies and bringing the same theories at
the state level. State AGs can pursue disparate impact claims under state law even
where the CFPB has abandoned the tool federally.
The practical reading: the watchdog with the loudest bark went quiet, and a pack of smaller,
more local, and frankly more motivated enforcers took its place. Building an AI lending stack
on the assumption that nobody is watching is the single most expensive mistake available
right now
The regulatory map for AI in private lending
There is no single “AI law” that governs a private lender. There is a stack of older lending and
privacy statutes that apply to AI by their own terms, plus a new layer of state automated
decision-making rules built specifically for tools like yours. You have to clear both layers.
The federal lending layer
ECOA and Regulation B. This is the center of gravity. ECOA prohibits credit discrimination
and requires that an applicant who is declined receive specific, accurate reasons for the
denial. The rule is technology neutral. It does not matter whether a human underwriter or a
model produced the decision. If your AI declines an applicant, you must be able to state the
actual reasons, and “the algorithm said no” is not a reason. A model you cannot explain is a
model you cannot lawfully deny credit with.
Disparate impact, courts, and your model. Even with the CFPB stepping back from
disparate impact, the theory survives in the courts and in state enforcement. The exposure is
structural: a court can treat the very decision to deploy an algorithmic underwriting tool as a
policy capable of producing biased outcomes. That means the choice to use a model, and
which model, is itself a decision you may have to defend. Federal retreat narrows one
enforcement channel. It does not close the courthouse or the state AG’s office.
FCRA. The minute your AI ingests credit report data or generates the kind of consumer
report that influences eligibility, FCRA attaches. Adverse action notice obligations,
permissible purpose limits, and accuracy duties all follow the data into the model.
GLBA. As a lender, you are a financial institution under the Gramm-Leach-Bliley Act. GLBA
governs how you collect, share, and safeguard nonpublic personal information. Feeding that
information into a third party AI service is a data sharing and safeguarding event, which is
where most of the real privacy risk lives. More on this below, because the GLBA story is
where lenders make their worst assumptions.
UDAAP and chatbots. Unfair, deceptive, or abusive acts and practices doctrine applies to
what your AI says to borrowers. A customer facing chatbot that gives a borrower wrong
information about their loan, their rate, or their options is not a harmless bug. It is a
statement your business made, and you own it.
The new state automated decision-making layer
This is the layer built for the technology you are deploying, and it is where the 2027 deadlines
live.
California. The California Privacy Protection Agency finalized rules governing automated
decision-making technology. They define ADMT broadly, as technology that processes
personal information and replaces or substantially replaces human decision-making, and
they apply when ADMT is used for a “significant decision,” a category that expressly includes
the provision or denial of financial or lending services. Covered uses trigger pre-use notices
in plain language, a consumer right to opt out, a right to access the information used, and a
right to appeal the decision to a human. Businesses using ADMT for significant decisions
must be compliant by January 1, 2027. Separate cybersecurity audit and risk assessment
obligations phase in on their own timelines, with the first cyber audit reports due in 2028.
Colorado. Colorado wrote the first comprehensive AI law in the country in 2024, and then
thought better of it. In May 2026 the governor signed SB 189, which repealed and replaced
the original act before it ever took effect. The original duty of care and algorithmic
discrimination framework is gone. The replacement is a lighter, disclosure and transparency
regime focused on automated decision-making technology used in consequential decisions,
which include financial services. It takes effect January 1, 2027, enforceable only by the state
attorney general with no private right of action, and mandatory implementing rules are due
from the AG by that date. The lesson for a multistate lender is not that Colorado got easier. It
is that this area is volatile, and a compliance program built to a statute as written can be
obsolete in a single legislative session.
The wider patchwork. Roughly twenty states now have comprehensive consumer privacy
laws, with new ones taking effect through 2026 and 2027 in states including Kentucky, Rhode
Island, Indiana, and Oklahoma. Most include automated decision-making or profiling opt-out
rights. New York has a proposal aimed squarely at automated decision tools in lending, with
annual impact assessments that would be posted publicly. There is no federal law
preempting any of this, and a proposed federal moratorium on state AI regulation drew
bipartisan opposition from dozens of state attorneys general. Plan for the patchwork,
because it is the operating reality, and where state rules conflict the strictest one tends to set
your floor.
The private lending wrinkle: who is the “consumer”?
Most state privacy laws protect “consumers,” meaning individual residents and their
personal information. A loan to a business entity is not, by itself, a consumer relationship.
That tempts private lenders to assume the privacy rules do not reach them.
Be careful. Your business-purpose loan file is full of personal information about real
individuals: the guarantor, the principals, the members of the borrowing LLC. Data about
those people is personal information. A privacy or ADMT obligation can attach to the
individuals behind the entity even when the loan itself is commercial. The entity may not be
a “consumer,” but the human who personally guaranteed the note almost certainly is. Treat
guarantor and principal data as protected, because a regulator or plaintiff’s lawyer will.
Privacy, in detail
You asked for privacy in detail, and this is where the sharpest and least understood risk sits
for a lender adopting AI.
The GLBA assumption that gets lenders in trouble
The common belief in lending circles goes like this: “Our data is nonpublic personal
information governed by GLBA, GLBA-covered data is exempt from the CCPA, therefore
California’s AI rules do not apply to us.” Each clause is partly true, and the conclusion is
wrong.
Here is the actual structure. The CCPA contains a data-level exemption for information
already covered by GLBA. So a particular field of GLBA-regulated data may be carved out of
certain CCPA obligations. But the exemption runs to the data, not to you as a business. The
California regulator’s stated position is that the CCPA still applies to covered “businesses” and
is meant to supplement, not yield to, federal law. And California’s ADMT rules were drafted
to reach the activity of making lending decisions, defining “significant decision” to include
the provision or denial of financial or lending services directly.
That sets up a genuine, unresolved tension. Industry groups have argued forcefully that
information used to approve or deny a loan is inherently GLBA-covered nonpublic personal
information and therefore exempt, so the ADMT rules cannot reach lending. The regulator
drafted the rules as though they do reach lending. This is contested, and it is not safe to treat
your own preferred reading as settled law.
The defensible posture, until a court or the regulator resolves it: map your data flows and
sort what is genuinely GLBA-covered nonpublic personal information from what is not.
Marketing data, behavioral data, web and app data, and information about prospects who
never become borrowers frequently fall outside the GLBA shield. For anything in the gray
zone, build to the ADMT requirements rather than betting the firm on the exemption. The
cost of over-complying is some notice and opt-out plumbing. The cost of guessing wrong is an
enforcement action with a 2027 effective date already on the calendar.
What the ADMT obligations actually require
Where the rules apply, they are concrete and operational, not abstract. You owe borrowers,
at minimum: a pre-use notice in plain language explaining that automated technology is
being used and what alternatives exist; the ability to opt out of the automated process; access
to the categories of information the technology used; and a path to appeal an adverse
outcome to a human reviewer. None of that is exotic. All of it has to exist before you deploy,
not after a complaint, and “we will build it later” is not a compliance plan when the deadline is fixed.
Sending borrower data to an AI vendor is a privacy event
The highest frequency privacy mistake is also the most mundane. Staff paste borrower
financials, credit data, or entire loan files into a consumer AI tool to “speed things up.” Under
GLBA’s safeguarding obligations, that is a transfer of nonpublic personal information to a
third party, and it can be a security and a sharing violation at the same time.
The controls are not complicated, but they have to be deliberate: use enterprise grade tools
with contractual commitments that your inputs are not used to train the vendor’s models and
are not retained; bind every AI vendor with the same kind of data protection and
confidentiality terms you already use for any service provider touching loan files; and give
your team a clear, enforced rule about what may and may not go into which tool. A single
staffer pasting a borrower’s full financial picture into a free chatbot can manufacture a
breach narrative that no after-the-fact policy will cure.
Call recording, transcripts, and consent
If you are using AI note-takers or transcription on borrower and investor calls, and many
lenders now are, consent is a live issue. California is an all-party consent state for recording
confidential communications. An AI listening to and transcribing a borrower call can be a
recording for these purposes. Disclose it and capture consent at the top of the call. The same
caution applies to anything that later gets summarized or routed into a CRM, because a
transcript is a record, and records get discovered.
Fund and investor data under the securities overlay
For lenders operating through a fund, AI that touches investor communications inherits the
securities rules. A tool that drafts investor updates, answers subscription questions, or
summarizes performance is generating statements that cannot be misleading and cannot
stray into advice or an offer the structure does not permit. The Regulation D and disclosure
discipline you already apply to human communications applies to machine-generated ones,
with the added wrinkle that a model will produce confident, polished text whether or not it is
accurate. Polish is not the same as truth, and a clean paragraph of investor communication
can still be a securities problem.
The "AI employee" reality check
The vendor frame is “AI loan officer” or “AI employee.” For a lender, that frame is a liability
trap, and it is worth being blunt about why.
You cannot delegate legal accountability to a model. If your “AI underwriter” produces a
discriminatory pattern, the model does not answer to the attorney general. You do. If your
“AI loan officer” misstates a rate, the model is not the one that made a deceptive statement to
a borrower. Your business did. An AI tool is not an employee in any sense the law recognizes.
It is an instrument your licensed, accountable business operates, and the accountability stays
with you no matter what the tool is named.
That has a practical design consequence. The right architecture is not “AI makes the
decision.” It is “AI does the work, a human owns the decision and can explain it.” That single
principle keeps you on the right side of ECOA’s specific-reasons requirement, on the right
side of the ADMT human-appeal right, and out of the worst version of the disparate impact
exposure. The lenders who will have trouble are the ones who let a model become the
decision-maker of record. The lenders who will be fine are the ones who use AI to make
accountable humans faster.
Reframe the whole thing accordingly. You are not hiring AI employees. You are giving your
real employees AI assistants, under human supervision, with the decision and the liability
staying exactly where they have always been.
Where AI earns its keep, function by function
With that frame in place, here is where AI delivers real value in a private lending operation,
and the specific compliance flag attached to each.
Intake and pre-qualification assistant. AI is genuinely good at first-touch borrower
interaction: answering routine questions, collecting documents, and organizing a file before a
human sees it. The flag: this is a customer-facing statement engine, so UDAAP applies to
everything it says, and it must not give the impression of a credit decision it is not authorized
to make. Keep it informational and keep the “yes or no” with a human.
Underwriting and credit analysis support. AI can summarize financials, flag
inconsistencies, surface missing items, and draft a credit memo for a human underwriter to
review and sign. The flag: this is the highest-risk function, the one ECOA and the ADMT rules
were built for. Keep the model in an advisory seat, ensure every decline reason is human-
verified and specific, and never let an unexplainable score become the basis for a denial.
Document drafting and review. AI can produce strong first drafts of loan documents,
redline against a checklist, and catch missing provisions. The flag: confidentiality of what you
feed it, accuracy of what it produces, and the bright line that drafting and reviewing loan
documents is the practice of law. This belongs under attorney supervision, not as a self-serve
replacement for one. A confident, well-formatted draft with a wrong cross-default provision
is more dangerous than an obvious mistake, because it looks finished.
Servicing and borrower communications. AI can handle payment reminders, answer
servicing questions, and route issues. The flag: collections-adjacent communications
implicate the FDCPA and its state analogs, and again every word is a statement you are
responsible for. Disclosure that the borrower is interacting with an automated system is
increasingly expected and in some places required.
Marketing and lead generation. AI can draft campaigns, segment lists, and personalize
outreach. The flag: the Telephone Consumer Protection Act governs automated outreach, and
the federal Homebuyers Privacy Protection Act, effective in 2026, tightens the rules on trigger
leads and how credit information can be used to market mortgage offers. AI that scales your
outreach also scales your TCPA and trigger-lead exposure.
Fraud detection and AML. This is the friendliest use case. Regulators broadly favor AI-
driven transaction monitoring and fraud screening, and it strengthens your GLBA safeguards
rather than straining them. The flag: governance and documentation, so you can show why
the model flags what it flags.
Internal knowledge and operations. AI as an internal research assistant, meeting
summarizer, and process accelerator carries the lowest external risk, provided you respect
the data rules above on what goes into the tool and what the tool is allowed to retain.
The pattern across all of these is the same. AI is strongest the further it sits from the actual
credit decision and the closer it sits to the work that supports a human decision. Push it
toward analysis, drafting, organization, and detection. Keep it away from being the decision-
maker of record.
Where AI earns its keep, function by function
Reading the landscape is one thing. Acting on it before the January 1, 2027 deadlines is
another. We built a step-by-step readiness checklist that walks a private lender through
exactly what to inventory, what to paper, and what to stand up, in order, so AI adoption
strengthens your shop instead of exposing it.
Download the AI Compliance Readiness Checklist for Private Lenders
A free, practical worksheet from Geraci LLP covering data-flow mapping, vendor terms,
human-accountability policy, and the 2027 state deadlines.
Questions? Contact Anthony Geraci at anthony@geracillp.com
AI is going to make private lending faster, cheaper, and in many ways better. It is not going to
make the law go away, and the firms that treat it as a regulated activity from day one are the
ones that will still be lending, without a consent order, when their less careful competitors
are explaining themselves to a state attorney general.
Key authorities and developments referenced
• Equal Credit Opportunity Act and Regulation B (15 U.S.C. 1691 et seq.)
• Fair Credit Reporting Act; Fair Housing Act; Gramm-Leach-Bliley Act
• CFPB final rule on ECOA fair lending enforcement (April 22, 2026), eliminating disparate
impact analysis
• California Privacy Protection Agency ADMT regulations, compliance deadline January 1, 2027
• Colorado SB 189 (signed May 14, 2026), repealing and replacing the 2024 Colorado AI Act,
effective January 1, 2027
• Homebuyers Privacy Protection Act (effective 2026), restricting mortgage trigger leads
• Emerging comprehensive state privacy laws (Kentucky, Rhode Island, Indiana, Oklahoma,
and others)
