While federal regulatory agencies have explicitly narrowed their examination focus on algorithmic lending practices, a distinct enforcement architecture is emerging at the state level. Massachusetts, New Jersey, and New York have each taken enforcement or rulemaking actions in the past year targeting AI-driven underwriting models, scoring systems, and automated decision tools used in mortgage origination. The absence of a unified federal framework has not reduced the total exposure for lenders. It has fragmented it — creating a compliance patchwork that multi-state originators are only beginning to understand.
The Enforcement Record
The Massachusetts Attorney General reached a $2.5 million settlement with a lender over AI underwriting model practices, focusing on three specific deficiencies: failure to test algorithmic models and their weighted inputs for disparate impact across protected classes; training models on arbitrary human selections without determining whether the selected variables were predictive of default; and adverse action notices that did not adequately explain credit decisions. The settlement requires the lender to implement comprehensive fair lending testing, controls, and risk assessments for AI model use — obligations that extend beyond anything currently required by federal examination standards.
New Jersey codified AI governance guidance alongside its December 2025 disparate-impact regulations, establishing explainability expectations for automated decisioning tools that go beyond current federal requirements. Lenders making loans to New Jersey borrowers — or secured by New Jersey properties — are now subject to a state-level framework that explicitly survives the CFPB’s Regulation B overhaul. New York’s strengthened consumer protection authority has created additional pathways for state enforcement against lending practices that cause harm through automated means, even absent overt discriminatory intent.
The Model Governance Gap
The enforcement pattern emerging from state actions identifies a consistent structural deficiency: lenders deploying AI or algorithmically-assisted underwriting tools lack adequate documentation of model governance. Specifically, the gap is not in model construction but in ongoing model validation — the documented, periodic assessment of whether models continue to perform as intended across borrower populations, whether weighted inputs remain defensible under current credit conditions, and whether output decisions can be explained in terms that satisfy adverse action notice requirements.
Adverse action notice adequacy is an underappreciated compliance risk in automated underwriting environments. When a loan recommendation engine flags a file as ineligible or refers it for manual review, the documentation trail connecting the algorithmic output to a specific, explainable reason code — acceptable for ECOA and Regulation B adverse action notice purposes — must be complete and auditable. Lenders using layered systems, where automated outputs are supplemented by loan officer discretion, face the additional challenge of documenting that human overlay decisions are applied consistently and do not introduce the kind of undocumented exception patterns that generate fair lending exposure.
The Investor and Audit Exposure Dimension
AI model governance deficiencies are not purely a regulatory risk; they are a loan salability risk. Investor overlays for correspondent and wholesale channels are increasingly incorporating model documentation requirements as a condition of purchase eligibility. Post-closing QC reviews that cannot confirm the decision logic behind automated underwriting findings, or that identify adverse action notice deficiencies after closing, generate both GSE representation and warranty exposure and secondary market rejection risk.
Pre-funding QC reviews that incorporate structured fair lending assessment, screening loan-level decision documentation for consistency across comparable borrower profiles, are the primary mechanism for detecting model governance failures before they reach investor review or state examination. Firms that have built explicit AI model audit checkpoints into their QC workflows are positioned to demonstrate the kind of documented control environment that state regulators are now requiring as a settlement condition.
What the Industry Should Anticipate
State enforcement activity targeting AI underwriting tools is accelerating, not plateauing. Former CFPB Director Rohit Chopra is now advising state attorneys general on enforcement strategy in areas where federal oversight has receded — and AI decisioning in mortgage lending is explicitly among the targeted areas. Through Q3 and Q4 2026, lenders with significant origination volume in Massachusetts, New Jersey, New York, and California should expect heightened examination scrutiny of model governance documentation, adverse action notice compliance, and override tracking. The examination preparation timeline for building a defensible AI governance framework is longer than most compliance teams estimate. The institutions that begin now will not be ready in time; the institutions that began last quarter may be.
