Public Mortgage Lender (Illustrative Profile)
v1Financial Services · Generated 4/13/2026, 9:40:00 PM
Public Mortgage Lender (Illustrative Profile) presents critical AI risk that would likely result in a decline recommendation. The composite risk score of 100 reflects 5 primary risk drivers across 5 mapped claims scenarios. Score confidence should be evaluated in conjunction with the evidence readiness metrics below.
Risk Dimensions
Inherent Harm
4.8
/ 5.0
Top Risk Drivers
What safeguards exist to detect and prevent algorithmic bias in lending, underwriting, or customer-facing financial decisions?
The Mobley v. Workday trajectory has made algorithmic bias a class-action vector, not just a regulator question. Documented testing and mitigation is the defense that survives discovery.
Does the organization conduct regular fair lending analysis specifically on AI-driven credit decisions?
Disparate-impact testing plus the documented less-discriminatory-alternatives search is the SR 11-7 + ECOA fusion carriers and examiners have converged on. Absent testing is the most expensive gap in credit AI.
Are all AI/ML models and systems documented in a formal inventory with version control and ownership tracking?
Without a central inventory, no one can answer "what AI is running here, and who owns it?" — which is the first question every carrier, regulator, and board committee asks after an incident.
What is the validation and testing regime before deploying AI models or updates to production?
Unvalidated models in production are the single largest source of E&O and professional-liability claims. Pre-deployment testing catches the material failure modes; post-update re-validation catches regressions.
What input validation and security controls protect AI systems from adversarial attacks or manipulation?
Adversarial attacks on AI are no longer theoretical — prompt injection, data poisoning, and model theft are live in the threat landscape. Cyber carriers are explicitly pricing for this now.
Remediation Roadmap
Bias detection, testing, and mitigation for high-impact AI
Identify AI decisions that affect people (employment, credit, housing, healthcare, pricing, content distribution). Define the protected and consequential cohorts. Run pre-deployment bias testing — disparate impact ratio, equalized odds, or the metric appropriate to the decision type — and continuous testing in production. Establish a mitigation playbook: re-training, reweighting, thresholding, or removal when thresholds are breached.
Done looks like: A bias-testing standard that names the metrics, thresholds, and cadence for each AI system. Test reports for all in-scope systems in the last 12 months. A documented mitigation action on any system where thresholds were breached, reviewed by governance.
Fair-lending testing regime for AI/ML credit models
Run pre-deployment and continuous fair-lending testing on credit models: disparate-impact analysis across protected classes, comparative-file review, and proxy-variable investigation. Establish thresholds that trigger mitigation. Document the less-discriminatory-alternatives search — CFPB Circular 2022-03 makes the search itself a compliance artifact. Keep statistician-of-record sign-off on methodology.
Done looks like: Fair-lending testing standard with named metrics and thresholds, quarterly testing reports for all in-scope models, documented LDA search for each material model change, and at least one model-mitigation decision in the last 18 months where testing surfaced an issue.
Stand up a formal AI/ML model inventory
Create a single source of truth for every production and staged AI system — foundation models, fine-tuned variants, classical ML, and rule-based decision engines. Each record captures: owner, business purpose, data inputs, decision outputs, deployment environment, dependencies, validation status, last review date, and mapped risk tier. Assign accountable owner with sign-off authority.
Done looks like: A model registry (e.g. in a governance platform or a version-controlled catalog) listing every AI system in use, with a named human owner for each, mapped to a business process. Auditable update history. Quarterly reconciliation against production telemetry catches un-registered systems.
Pre-deployment validation & model testing regime
Require every in-scope AI system to clear a validation protocol before production: independent test dataset, performance metrics appropriate to the task (accuracy, calibration, false-positive/false-negative rates by subpopulation), stress testing, and business-impact sign-off. Validation is re-run on material model updates. Validation artifacts are retained in the model record.
Done looks like: A documented validation framework — scoped by model risk tier — with test artifacts, holdout performance reports, and bias/fairness metrics stored in the model registry. For each production AI system, a dated validation report with named validator and explicit deployment go/no-go decision.
Adversarial input defense and data-pipeline integrity
Harden AI inputs against prompt injection, adversarial examples, data poisoning, and model theft. Implement input validation and sanitization, rate-limiting on generative endpoints, monitoring for anomalous input patterns, and integrity checks on training and fine-tuning data. For generative AI, add output filtering aligned to policy.
Done looks like: A threat model covering adversarial AI attacks, implemented controls (input sanitization, output filtering, rate-limiting) for customer-facing generative systems, monitoring for injection attempts, and a recent penetration test or red-team exercise targeting AI endpoints.
Claims Scenarios(5)
Evidence Confidence
Band
high
Tier
4
Margin
±2
Score Range
98–100
Documented
47%
By Area
Interaction Effects
Carrier-only: cross-signal risk amplifiers and mitigators
Risk Amplifiers (4)
No bias controls × prior regulatory findings — pattern-of-conduct exposure
Absent bias controls + regulatory compliance issues
A history of regulatory findings combined with no current bias-testing regime is the fact pattern enforcement lawyers build cases around. Once a prior consent order or supervisory finding exists, absence of bias controls establishes the "knew-or-should-have-known" element that supports enhanced penalties and individual officer liability under CFPB, DOJ, and state AG theories. Carriers view this as constructive notice.
Evidence that would neutralise this
Documented bias-testing protocol applied on a published cadence, plus evidence that findings from the prior regulatory matter have been specifically closed out with written regulator acknowledgment or independent-auditor sign-off.
Governance claimed × inventory incomplete — disclosure/securities risk
Governance claims without complete model documentation
When leadership represents strong AI governance externally (in 10-Ks, AI Bill of Rights compliance claims, SOC reports, customer attestations) but the underlying model inventory is weak, the representation is actionable. SEC AI-washing enforcement (Delphia, Global Predictions — March 2024) made clear that false or unsupported AI governance claims are securities violations. This combination drives D&O exposure.
Evidence that would neutralise this
An internal reconciliation between external governance claims and the actual model registry, with disclosures reviewed by counsel before publication. Minimum bar: the most recent external claim can be traced to inventory evidence.
No bias controls × governance without teeth — systematic-bias risk
Absent bias controls + moderate-only governance
A governance framework that exists but does not include affirmative bias testing is the "policy without practice" pattern. It is the exposure structure underlying Mobley v. Workday, the iTutorGroup EEOC settlement, and the SafeRent consent decree — disparate-impact outcomes at scale without the testing that would have caught them.
Evidence that would neutralise this
Bias testing integrated into the governance workflow as a gate, not a checkbox: written protocol, applied on a published cadence, with remediation triggered when thresholds are crossed and a remediation log the committee reviews.
No fair-lending analysis × AI-driven credit — ECOA / Fair Housing direct exposure
No fair lending analysis + AI-driven credit decisions
When AI drives credit decisions without an affirmative fair-lending testing regime, the institution is relying on disparate-impact not being present — a bet that historical training data has never won. The CFPB SafeRent consent order (2024), Upstart exam findings, and the Wells Fargo mortgage matter all turned on absence of fair-lending analysis at the model stage. ECOA/Reg B liability attaches to the creditor regardless of model vendor.
Evidence that would neutralise this
Statistical fair-lending testing (disparate impact, CBA/LAR analysis, least-discriminatory-alternative search) performed pre-deployment *and* on a periodic cadence, with results reviewed by fair-lending counsel and a remediation record where findings surfaced.
Risk Mitigators (1)
Real-time monitoring × rapid-response SLA — credit for resilience
Real-time monitoring + rapid response SLA
Monitoring combined with a committed response SLA is what carriers mean when they ask about "time-to-detect" and "time-to-mitigate." This pairing demonstrably reduces claim severity — it is the one control combination that shows up as a premium discount in AI-aware cyber and tech E&O rate filings. The dossier should surface this as affirmative positioning, not merely a score adjustment.
Evidence that would neutralise this
A monitoring dashboard live for tier-1 AI systems with named metric owners and an SLA-backed incident-response playbook. Evidence that the cycle actually ran in the last 6 months.