Skip to main content
lend·with·ai
compliance · how-to

Adverse action notices with LLMs: the explainability bar regulators actually enforce

How to draft an adverse action notice that survives ECOA Reg B, GDPR Article 22, and the plain-language fairness expectations of the FCA, MAS, APRA, OSFI, and RBI — with a working prompt and three jurisdictional renderings of the same decline.

LW
LendWithAI

The builder's playbook for AI-powered lending. Every prompt, template, and teardown on this site comes from real experimentation, not theory.

Published May 4, 2026 · 10 min read

When a lender declines a loan, the decline notice is the only document the regulator and the applicant are guaranteed to read. It is the audit trail, the customer-experience moment, and — if the decline was driven by a model — the explainability artefact, all collapsed into one piece of paper. This is part of our ongoing builders’ work on AI-augmented lending workflows; the upstream piece on how to underwrite loans with AI covers where the structured decision record comes from in the first place. This post is about what happens after that record produces a no.

The reason most LLM-drafted adverse action notices break is that builders treat the notice as a writing problem when it is actually a layering problem. The notice has to satisfy three different bars from three different regulatory traditions, and the prompt that produces a defensible notice is the one that knows which bar is the strictest for each clause and writes to that one.

What an adverse action notice actually has to do

Three jobs, in order of how often LLM drafts fail them.

The first is the specific-reasons job. In the U.S., 12 CFR § 1002.9 and Regulation B generally require a creditor to give the applicant the specific, principal reasons for the adverse action — not a generic class of reason, not a model output described in the abstract, not “you did not meet our criteria.” The CFPB tightened this further in Circular 2022-03, which explicitly addresses credit decisions based on “complex algorithms” and the temptation to hide behind them. The regulator’s position is that the obligation to give specific reasons applies regardless of the technology used to produce the decision.

The second is the meaningful-information-about-the-logic job. In the EU, GDPR Article 22 gives data subjects the right not to be subject to solely-automated decisions that produce legal or similarly significant effects, with the well-known exceptions for contractual necessity, explicit consent, and EU/member-state law. The corollary — the part that matters for the notice — is the obligation in Articles 13 to 15 to provide meaningful information about the logic involved, the significance, and the envisaged consequences. The EU AI Act sharpens this further by classifying credit-scoring systems as high-risk under Annex III, which triggers explainability and human-oversight obligations under Title III. None of this requires the lender to publish the model. It requires the lender to describe, in language the applicant can act on, what about their file drove the outcome.

The third is the plain-language-fairness job. The FCA’s Consumer Duty (PS22/9) requires firms to deliver communications that consumers can understand and to avoid foreseeable harm, including the harm of confusion at the moment of decline. The MAS FEAT principles set transparency expectations for AI in Singapore’s financial sector. APRA’s CPS 230 frames operational risk in ways that include borrower-facing communications. OSFI’s Guideline E-23 sets enterprise-risk expectations for model-driven decisions in Canada. The RBI’s Digital Lending Guidelines, particularly the Key Fact Statement obligations, push the same direction in India: decline communications must be clear, must be in language the applicant understands, and must let them act on the information. There is no single regulator dictating prose style, but there is a striking convergence on what good looks like.

A notice that clears all three bars is shorter than most builders fear, and the prompt that writes it is correspondingly compact.

The U.S. bar — ECOA, Reg B, and the principal-reasons rule

12 CFR § 1002.9(a) requires a creditor to notify an applicant of action taken within 30 days of receiving a completed application, with adjusted clocks for incomplete applications and counter-offers. § 1002.9(b)(2) requires the notice to contain the specific, principal reasons for the adverse action — the rule that the CFPB sharpened in 2022-03.

What does “specific” mean in practice? The regulator’s own examples, and decades of enforcement, point at the same thing. “Insufficient income” is generic; “income reported (USD 38,000) below the minimum threshold for the requested credit limit (USD 75,000) on this product” is specific. “Bureau score too low” is generic; “bureau score of 612 below the minimum cut-off of 660 for this product, with the four reported factor codes being a high revolving utilization rate, a recent serious delinquency, length of credit history too short, and the most recent inquiry within ninety days” is specific.

This is the clause where most LLM drafts fail without help. Without an explicit instruction to cite the source field, the model defaults to fluent vagueness — phrases that sound like adverse-action language but cite nothing the regulator can match against the file. The fix is a prompt rule that requires every reason to be tied to a specific input field, exactly as the underwriting credit memo prompt does for figures inside the memo.

The EU bar — Article 22 and the AI Act high-risk frame

GDPR Article 22 sits inside a broader transparency apparatus. The right is not to a description of the model. It is to meaningful information about the logic involved, in the sense that a reasonable person reading the notice can identify what about their submission produced the outcome and can decide whether to contest it.

In practice, three things turn an LLM-drafted notice into one that survives an Article 22 challenge.

It describes the contributing factors, not the model. “Your application was assessed using an automated underwriting model” is honest but useless to the applicant. “The two factors that drove the outcome were a debt-service ratio of 58% (above our 50% threshold) and a stated employment tenure of four months (below our twelve-month minimum for unsecured credit)” is the same fact, told in a way the applicant can act on.

It signposts the route to human review. Under Article 22(3), where the contractual-necessity or explicit-consent exception applies, the data controller must implement suitable measures to safeguard the data subject’s rights, including the right to obtain human intervention. The notice has to make that route obvious. A line as simple as “to ask a person to re-review this decision, reply to this email or call the number below” is enough.

It does not name the model. The temptation to flex — “decision generated by ModelName v3.2” — adds nothing for the applicant and creates a vendor-disclosure liability. The notice describes the inputs and the thresholds, not the inference engine.

The EU AI Act’s high-risk classification of credit-scoring systems under Annex III, point 5(b) reinforces this from a different angle. The Act requires risk management, human oversight, and explainability for high-risk systems, and the adverse action notice is one of the artefacts that demonstrates explainability is operating. Notices that describe inputs and thresholds map onto the Act’s expectations cleanly. Notices that read like marketing prose do not.

The plain-language bar — what the others actually want

The FCA’s Consumer Duty is explicit about communications: they must be in language the consumer can understand, and they must avoid foreseeable harm, including financial harm caused by confusion. A decline notice that uses the phrase “your application did not meet our criteria” does not, on a strict reading, harm the consumer. A decline notice that explains the two specific reasons and tells the consumer what they could do differently next time does much better against the Duty’s outcome tests.

MAS FEAT, OSFI E-23, APRA CPS 230, and the RBI Digital Lending Guidelines all converge on the same operational expectation: the decline communication should be in plain language, should be reachable through the same channel the applicant used, and should not require the applicant to chase the lender for further explanation. The convergence makes the global default easy: write the notice in language a smart non-specialist can act on, deliver it through the original channel, and tell the applicant where to ask follow-ups.

The prompt — adverse action notice from a structured underwriting record

This is the original artefact for this post. The prompt is short on purpose; the constraints in the rules block do most of the work.

SYSTEM
You are drafting the body of an adverse action notice for a declined loan
application. The legal disclosure block, the rights statement, and the
regulator citation will be appended by a deterministic template — do not
draft them. Your job is the reasons section and the next-steps section.

INPUTS
- decision_record: the full structured underwriting decision (JSON)
- applicant_jurisdiction: one of {"US-state", "EU", "UK", "IN", "SG", "OTHER"}
- product: the credit product (e.g., "unsecured personal loan")
- amount_requested: requested principal in USD
- date_of_application: ISO date

OUTPUT FORMAT
1. SPECIFIC REASONS FOR DECLINE
   - Bullet list of 1 to 4 reasons.
   - Each bullet cites the exact input field that drove it (e.g.,
     "debt_service_ratio = 58.4% vs threshold 50.0%").
   - No reasons that are not in the decision_record.

2. WHAT THIS MEANS FOR YOU
   - Two to three sentences, plain language, no jargon.
   - Names the practical implication of each reason without restating it.

3. WHAT YOU CAN DO NEXT
   - Bullet list of 1 to 3 actionable steps the applicant can take.
   - Includes the human-review route (reply, phone, in-person) if
     applicant_jurisdiction is EU or UK.
   - Does not include speculative offers ("you may qualify if…").

RULES
- Refuse to name any protected attribute (race, sex, religion, national
  origin, age, disability, marital status, source of public assistance).
  If the decision_record contains one, return [POLICY_VIOLATION] and stop.
- Refuse to name any internal model parameter (model name, weights,
  feature importances, score bands beyond what the applicant's bureau
  pull would already show).
- If the decision_record contains "score_principal_driver = true", the
  reasons section must include both the score and the four factor codes
  reported with the score.
- If a number appears in the body, it must appear in the decision_record.
  No inferred figures, no rounding for prose, no examples.
- Tone: direct, neutral, second person ("your"), no apologies, no
  marketing language, no future-product cross-sell.

The template that wraps the prompt’s output supplies the rights disclosure, the regulator citation, the ECOA right-to-a-copy-of-any-appraisal-report block where applicable, the GDPR Article 22 human-review pointer where applicable, and the firm’s address and reference number. Those clauses are deterministic because the regulators wrote them and the wording is fixed — and because an LLM that paraphrases boilerplate has just introduced a compliance bug into a clause whose value is its predictability.

The same decline, three jurisdictions

To show what changes and what does not, take a single synthetic decline and run the prompt against three jurisdictions. The applicant — call them Alex Lin — has applied for a USD 12,000 unsecured personal loan. The decision record returns:

{
  "decision": "decline",
  "score_principal_driver": false,
  "principal_reasons": [
    {"field": "debt_service_ratio", "value": 0.584,
     "threshold": 0.500, "direction": ">"},
    {"field": "employment_tenure_months", "value": 4,
     "threshold": 12, "direction": "<"}
  ],
  "score": 648,
  "score_factors": null
}

Texas (US-state). The reasons section names the debt-service ratio, with the source field and the threshold, and the employment-tenure shortfall, with the source field and the threshold. The next-steps section points the applicant at the bureau and at the right to ask for any appraisal report, language drawn from § 1002.9 and not from the LLM. The template appends the ECOA notice verbatim.

Berlin (EU). Identical reasons section. The next-steps section adds one extra bullet: “to ask a person to re-review this decision, reply to this email or call +X.” The template appends the firm’s data-protection-officer contact and the line, drawn from Article 22, that the applicant has the right to obtain human intervention, express their point of view, and contest the decision. The body of the notice — the part the LLM produced — barely changes.

Mumbai (IN). Identical reasons section. The next-steps section adds the language consistent with the RBI Digital Lending Guidelines on the Key Fact Statement and the route to grievance redressal. The template appends the lender’s grievance-redressal officer contact and the cooling-off-period reference where it applies to the product. Again, the body the LLM produced is unchanged.

The point of running it three ways is to demonstrate the layering. The LLM is a globally portable component because the specific-reasons obligation is globally portable. The template carries the local boilerplate. The build pattern is “global body, local rights envelope,” and once the split is clean the prompt becomes much smaller.

The parts the LLM should never write

Four clauses stay deterministic, full stop.

The rights-disclosure boilerplate. Under § 1002.9(b)(1), the U.S. notice must include either the ECOA notice in full or its substantive equivalent. The wording is set; an LLM that paraphrases is doing work the regulator did not ask for and is creating a clause that has to be reviewed every run.

The regulator citation. The notice has to cite the right regulator and the right office. A typo in the agency name is a compliance defect that costs nothing to prevent.

The right to a copy of any appraisal report. § 1002.14 obliges creditors to provide copies of valuations developed in connection with an application for credit secured by a first lien on a dwelling. The trigger and the wording are fixed.

The human-review pointer for EU/UK applicants. The Article 22 safeguard — the explicit right to human intervention — is a compliance line and a UX line at the same time. The LLM can write the prose around it; the line itself is templated.

Failure modes the prompt is built to refuse

The prompt earns its size in the rules block. Five things it is designed not to do.

Naming a protected attribute. The first refusal rule is the one whose presence in the audit trail is most defensible. Even if the decision record does not contain a protected attribute, the rule signals to a future auditor that the system was designed to refuse it.

Citing internal model parameters. “Decision generated by underwriting model XR-7 with feature weights [0.31, 0.18, …]” is the failure mode that AI-curious teams produce when they over-explain. The applicant cannot act on it. The vendor relationship gets exposed. The rule blocks it.

Vague language. “You did not meet our criteria” is the failure mode that compliance-careful teams produce when they over-correct. The rule that every reason must cite a source field forces the prose past it.

Inferred figures. The model occasionally invents a number that is consistent with the decision record but is not in it — “your debt-service ratio is around 60%” when the record says 58.4%. The rule that any number in the body must appear in the decision record blocks the rounding-for-prose impulse and gives the audit trail a clean diff against the source.

Speculative cross-sell. “You may qualify for our secured product” inside a decline notice has been a mis-selling vector for years. The rule against future-product cross-sell keeps the notice clean.

Each of these refusals is also an audit trail. A prompt with these rules in place produces both an output and a record that the system was instructed to refuse the bad pattern, which is a much stronger artefact in front of a regulator than a prompt that happens to produce a clean notice on the day someone audits.

What changes when the principal driver is the score

If score_principal_driver is true, the Circular 2022-03 angle becomes load-bearing. A notice that says “bureau score below cut-off” without the four factor codes is the textbook example the CFPB called out: the applicant cannot tell from the notice what about their file drove the outcome. The prompt’s rule that the score-driven case must include both the score and the factor codes is the compliance hinge for U.S. files. For EU files, the same rule is the practical implementation of “meaningful information about the logic” — the applicant cannot litigate the model, but they can litigate “your most recent serious delinquency was the largest single factor.”

The factor codes carry across jurisdictions. The bureau supplies them as part of the score; the applicant in Berlin and the applicant in Mumbai both benefit from seeing the four reasons that lowered the score, in the same form. The prompt does not need a separate jurisdictional branch for this case.

A one-page mapping from clause to regulation

For audit purposes, the clause-to-regulation mapping is its own artefact. A team running this prompt at scale should print the mapping and pin it next to the prompt; it is the document an auditor will ask for first.

The reasons section maps to ECOA § 1002.9(b)(2) and CFPB Circular 2022-03 in the U.S., to GDPR Articles 13 to 15 and Article 22 in the EU, to the FCA Consumer Duty’s understanding outcome in the UK, to the MAS FEAT transparency principle in Singapore, to the OSFI E-23 model-explainability expectation in Canada, to the APRA CPS 230 communications expectation in Australia, and to the RBI Digital Lending Guidelines’ Key Fact Statement framework in India.

The next-steps section maps to the Article 22 human-intervention safeguard in the EU, to the FCA’s foreseeable-harm test in the UK, and to the RBI’s grievance-redressal expectations in India. In jurisdictions without an explicit human-review right, the line is still defensible as a Consumer Duty equivalent.

The rights-disclosure block is fully templated and maps to the named regulator in each jurisdiction. The LLM does not touch it.

Where this connects to the rest of the workflow

The notice is downstream of the decision, and the decision is upstream of the applicant’s whole experience of you. The same structured record that drives the credit memo on approval drives the adverse action notice on decline. The same prompt-design discipline — cite the source field, refuse the vague language — is the discipline that keeps your collections communications on the right side of the line later in the loan lifecycle.

Get the decision record clean and the rest follows. Skip the discipline upstream and every downstream document inherits the mess.

Next read and what to grab

The credit memo post is the natural pair to this one — same record, same prompt-design vocabulary, opposite end of the decision. The full prompt set, including the adverse-action prompt above and its template wrapper, lives in the AI Lending Prompt Library for teams that want the whole chain rather than to rebuild it.

A defensible adverse action notice is not the longest document in your stack. It is the most-read.

Frequently asked questions

Can I let an LLM write the entire adverse action notice?

No, and you should not want to. The body of the notice — the specific reasons for the decline, written in plain language, scoped to the applicant's file — is exactly the part an LLM is good at and where a deterministic template fails. The boilerplate around it — the rights-disclosure block, the regulator citation, the ECOA notice of the right to a copy of any appraisal report — must stay templated, because that text is set by regulation and an LLM that paraphrases it has just introduced a compliance bug. Split the notice on those lines: LLM writes the reasons, template writes the rights.

Does GDPR Article 22 actually ban automated credit decisions?

Article 22 does not ban automated credit decisions, but it gives data subjects a right not to be subject to a decision based solely on automated processing where the decision produces legal or similarly significant effects, with explicit exceptions for contractual necessity, explicit consent, and authorisation by EU or member-state law. Most lenders rely on the contractual-necessity exception, which obliges them to provide meaningful information about the logic involved and a route to human review. The notice is the artefact that proves you delivered both.

Is 'low credit score' a specific enough reason for an ECOA adverse action notice?

Almost never. CFPB Circular 2022-03 makes the position explicit: a creditor cannot use overly broad or vague reasons, and must provide the specific, principal reasons that drove the decision. 'Low credit score' is acceptable only when the score genuinely was the principal driver and is paired with the specific factors that lowered it — typically the four factor codes returned alongside the score. Most LLM-drafted notices fail here by stopping at the score and skipping the contributing factors, which is the part the regulator is actually asking for.

How long do I have to send an adverse action notice after a decline?

Under 12 CFR § 1002.9, a creditor must notify an applicant of action taken within 30 days of receiving a completed application, with shorter windows for incomplete applications and counter-offers. Other jurisdictions are typically less prescriptive on the clock and more prescriptive on the content, but the working assumption that travels — 30 days, with the notice in the applicant's hands — is a defensible global default.

Sources

  1. Circular 2022-03: Adverse action notification requirements in connection with credit decisions based on complex algorithms · Consumer Financial Protection Bureau
  2. 12 CFR § 1002.9 — Notifications · Electronic Code of Federal Regulations
  3. GDPR Article 22 — Automated individual decision-making, including profiling · Intersoft Consulting
  4. PS22/9: A new Consumer Duty · Financial Conduct Authority
  5. Principles to Promote Fairness, Ethics, Accountability and Transparency (FEAT) in the Use of Artificial Intelligence and Data Analytics in Singapore's Financial Sector · Monetary Authority of Singapore
  6. Guidelines on Digital Lending (September 2022) · Reserve Bank of India

More from this series

Underwriting how-to

Credit memo generation with LLMs: the prompt chain that survives a committee

A structured prompt chain that produces first-draft credit memos your credit committee will actually accept — with risk grade, conditions, deviations, and explicit gaps flagged.

Apr 25, 2026 ·7 min
Underwriting cluster

AI in loan collections: what actually works, what doesn't, and where compliance draws the line

A builder's view of where LLMs earn their seat in collections workflows — draft generation, segmentation, hardship conversations — and where they're a compliance liability.

Apr 29, 2026 ·9 min
Underwriting pillar

How to underwrite loans with AI: a builder's guide (2026)

The full workflow for AI-assisted loan underwriting — from application intake to credit memo, with the prompts, scorecard logic, and failure modes that matter.

Apr 24, 2026 ·14 min