Philip J. Weiser
Attorney General
Colorado Department of Law
1300 Broadway #10th
Denver, CO 80203
Re: Response to Request for Information Regarding the Implementation of Senate Bill 26-189, Colorado Automated Decision-Making Technology Act
Dear Attorney General Weiser,
On behalf of the American Fintech Council ("AFC"), I write to submit this comment letter in response to the Colorado Department of Law's Request for Information regarding the implementation of Senate Bill 26-189, Colorado's Artificial Intelligence Act (Proposed Rulemaking). AFC welcomes the Department's efforts to engage stakeholders as it develops implementing regulations that will govern the responsible use of automated decision-making technologies (“ADMT”) while advancing consumer protection and fostering continued innovation.
AFC is a standards based organization and the largest and most diverse trade association representing financial technology companies and innovative banks. On behalf of more than 150 member companies and partners, AFC promotes a transparent, inclusive, and customer centric financial system by supporting responsible innovation in financial services and encouraging sound public policy. AFC's membership includes banks, nonbank lenders, payments companies, credit bureaus, loan servicers, financial technology companies, and other participants throughout the financial services ecosystem. Together, our members serve millions of consumers and businesses while operating within one of the most comprehensive regulatory frameworks in the United States.
AFC and its members support the General Assembly's objective of promoting the responsible deployment of ADMT in consequential decision making while preserving consumer trust and confidence in emerging technologies. These technologies present meaningful opportunities to improve financial inclusion, strengthen fraud detection, enhance compliance, expand access to credit, and improve operational efficiency throughout the financial services sector. At the same time, financial institutions recognize that these technologies must be deployed responsibly, subject to appropriate governance, oversight, and consumer protections.
As the Department develops implementing regulations, AFC respectfully encourages an approach that recognizes the mature supervisory framework already governing financial institutions. Banks and regulated financial technology companies are not beginning their governance efforts for ADMT from a blank slate. Rather, they operate within an extensive network of federal statutes, prudential supervision, examination expectations, model governance requirements, third party risk management guidance, privacy obligations, and consumer protection standards that collectively establish a robust framework for the safe and responsible use of technology within financial services.
Accordingly, AFC encourages the Department to implement Senate Bill 26-189 in a manner that harmonizes with existing federal law, avoids unnecessary duplication of existing compliance obligations, provides objective and administrable compliance standards, preserves technology neutrality, and recognizes the operational realities facing regulated financial institutions. Such an approach would strengthen consumer protection while ensuring that Colorado remains a national leader in responsible financial innovation.
I. AFC Supports Implementing Senate Bill 26-189 in a Manner That Harmonizes with Existing Federal Financial Services Requirements and Avoids Duplicative Regulatory Obligations
Financial institutions operate within one of the most comprehensive regulatory environments in the United States. Existing federal law already imposes extensive obligations governing fair lending, consumer disclosures, privacy, model governance, operational resilience, third party oversight, and unfair or deceptive practices. The Department's implementing regulations should recognize these existing requirements and avoid imposing duplicative obligations where substantially similar protections already exist.
Financial institutions routinely demonstrate compliance with the Equal Credit Opportunity Act and Regulation B through fair lending programs, adverse action notice requirements, model governance practices, and ongoing supervisory examinations. Likewise, institutions remain subject to the Fair Credit Reporting Act, the Gramm Leach Bliley Act, the Federal Trade Commission Safeguards Rule, the Bank Secrecy Act, and extensive third party risk management expectations issued jointly by the federal banking agencies. Collectively, these requirements already establish rigorous expectations regarding governance, accountability, documentation, consumer protection, and operational controls. Requiring regulated entities to satisfy multiple overlapping standards addressing identical risks would increase compliance costs without producing corresponding consumer protection benefits. Instead, duplicative requirements may divert institutional resources away from substantive risk management and toward reconciling inconsistent documentation, reporting, and examination expectations.
This principle extends beyond avoiding duplication. Harmonization with existing federal law is equally important. For example, if the Department adopts requirements concerning consumer explanations for AI assisted lending decisions, those requirements should align with adverse action notices already required under the Equal Credit Opportunity Act and Regulation B rather than establishing a separate disclosure framework. Similarly, privacy obligations should remain consistent with the Gramm Leach Bliley Act and should not inadvertently require institutions to disclose information protected by federal privacy law. Likewise, where consumer reports contribute to a consequential decision, implementing regulations should avoid creating timing, content, or procedural requirements that conflict with the Fair Credit Reporting Act. Regulated institutions should not face inconsistent obligations depending upon whether they are complying with Colorado law or longstanding federal consumer protection statutes.
Recognizing existing federal regulatory frameworks would also promote examination consistency. Financial institutions already devote significant resources toward satisfying supervisory expectations established by federal banking agencies. As federal agencies continue to articulate supervisory and enforcement expectations governing the use of artificial intelligence, including the Federal Trade Commission's recent Policy Statement Concerning the Suppression of Accuracy in Artificial Intelligence Systems, the Department should seek to avoid adopting requirements that could produce inconsistent supervisory expectations or enforcement outcomes between state and federal regulators. Creating materially different state requirements governing substantially similar activities risks producing conflicting examination outcomes and unnecessary regulatory uncertainty. AFC therefore encourages the Department to expressly acknowledge existing federal compliance frameworks and, where appropriate, establish presumptions of compliance for substantially similar requirements.
II. AFC Supports Clear, Objective, and Technology Neutral Compliance Standards That Promote Responsible Innovation and Consistent Supervision
Effective regulation will largely be contingent upon clear standards which are capable of being implemented consistently across regulated entities and administered predictably by supervisory authorities. Ambiguous regulatory obligations often create greater compliance risk than stringent requirements because institutions lack objective benchmarks against which to evaluate their compliance programs. Several statutory concepts within Senate Bill 26-189 would benefit from additional regulatory clarification. For example, the Department should provide objective guidance regarding what constitutes meaningful human review, including the level of authority possessed by human reviewers, the circumstances under which review should occur, what constitutes a commercially reasonable human review process under the Act, and the documentation necessary to demonstrate compliance.
Similarly, the regulations should clarify what constitutes a substantial factor in a consequential decision and identify the circumstances under which ADMT materially influences decision making, particularly in the lending context. This is particularly important in credit decisioning, where for decades banks and other lenders have relied on automated processes to review and approve or decline credit applications. These automated processes are based on static lending criteria set by humans, and are actively supervised by humans. They should be explicitly defined to not be machine learning or artificial intelligence. Indeed, any underwriting model that is approved by a human, whether it was developed with the assistance of machine learning or artificial intelligence, should be defined out of the scope of “consequential decision,” since the human approving the model is ultimately responsible for the underwriting decision, not the application of those underwriting criteria to each individual loan application. Furthermore, any human review of an underwriting decision that cannot result in a different outcome should be automatically deemed commercially unreasonable, as it would simply increase cost for the lender, and time spent by the borrower, without changing the outcome. Indeed, if human review did result in a different decision, it would mean that similarly situated applicants could get different outcomes, raising significant fair lending concerns. For example, if a lender develops a model that only makes decisions within its credit policy, an automated system that denies an applicant outside of its credit policy should not be deemed to have made a consequential decision, nor would it be commercially reasonable for the consumer to request a human review of that denial of credit.
Institutions would also benefit from objective guidance concerning documentation expectations, record retention requirements, testing methodologies, governance documentation, and requirements pertaining to consumer communications and notices. In tandem, greater specificity should be directed towards clarifying what constitutes doing business in Colorado, for purposes of regulatory oversight, such that financial institutions who either have a physical company presence, or who conduct business activities tangentially related to local commerce, are transparently made aware of their need to comply with ADMT requirements. Without uniform standards, similarly situated institutions may develop materially different compliance approaches despite pursuing identical statutory objectives.
To promote supervisory consistency, AFC recommends that the Department publish model notices, frequently asked questions, examples of compliant disclosures, examples illustrating meaningful human review, and practical implementation guidance addressing common compliance scenarios. These materials would significantly reduce regulatory uncertainty while encouraging consistent implementation across the marketplace. Equally important, the regulations should remain agnostic to various technology platforms. ADMT continues to evolve rapidly, and prescriptive technical requirements may become obsolete long before future regulatory amendments occur. Accordingly, implementing regulations should focus upon consumer outcomes, governance principles, accountability, and demonstrable risk management rather than prescribing particular model architectures or technical solutions.
III. AFC Encourages a Risk-Based Approach to Oversight of Automated Decision-Making Technologies That Reflects the Diversity of Use Cases and Institutional Profiles
In implementing Senate Bill 26-189, AFC encourages the Department to adopt a risk-based framework that accounts for the wide range of ADMT used within financial services and the varying levels of risk they present. Not all ADMT deployed by financial institutions carry the same potential for consumer impact, and regulatory requirements should be calibrated accordingly. A risk-based approach would allow institutions to allocate compliance resources proportionately, focusing enhanced oversight on high-risk use cases such as use of artificial intelligence to make individual credit underwriting decisions, fraud detection affecting account access, or other consequential decisions driven or materially influenced by automated decision-making technologies, while permitting more streamlined governance for lower-risk applications such as internal operational tools or customer service enhancements.
Such an approach would also align with existing federal supervisory expectations, which emphasize risk-based compliance, model governance, and internal controls for systems that inform or automate decision making. By incorporating risk-based principles into implementing regulations, the Department can promote more effective oversight while avoiding unnecessary burden on lower-risk activities. Additionally, a risk-based framework would support innovation by allowing institutions to test and deploy emerging automated decision-making technologies in controlled environments, subject to appropriate safeguards. This flexibility is particularly important given the rapid pace of technological development and the evolving nature of these tools.
IV. AFC Recommends Implementation Mechanisms That Support Ongoing Regulatory Dialogue and Adaptive Compliance for Automated Decision-Making Technologies
Given the evolving nature of automated decision-making technologies, AFC encourages the Department to adopt implementation mechanisms that allow for ongoing regulatory dialogue and iterative refinement of compliance expectations over time. One approach would be to establish formal or informal channels for continued stakeholder engagement following initial rulemaking, including periodic roundtables, advisory groups, or opportunities for public comment on emerging issues related to automated decision-making technologies. These mechanisms would allow regulators and industry participants to share insights, identify emerging risks, and refine regulatory approaches based on real-world experience.
The Department may also consider incorporating adaptive compliance tools such as regulatory sandboxes, pilot programs, or safe harbors for good faith compliance efforts involving automated decision-making technologies. These mechanisms can facilitate responsible experimentation while maintaining appropriate consumer protections and regulatory oversight. Additionally, coordination with federal regulators will remain critical as oversight of ADMT continues to evolve. Ongoing dialogue between state and federal authorities can help ensure that regulatory expectations remain aligned and that institutions are not subject to conflicting or inconsistent requirements. By adopting flexible and adaptive implementation strategies, the Department can ensure that its regulatory framework remains effective over time while supporting both consumer protection and continued innovation.
* * *
AFC appreciates the opportunity to provide input on the implementation of Senate Bill 26-189. By harmonizing with existing federal frameworks, providing clear and objective standards, adopting a risk-based approach, and supporting adaptive implementation mechanisms, the Department can advance consumer protection while fostering responsible innovation within Colorado's financial services ecosystem.
AFC and its members stand ready to work with the Department as it develops implementing regulations and would welcome the opportunity to provide additional information or participate in further discussions.
Sincerely,
Ian P. Moloney
Chief Policy Officer
American Fintech Council
[1] American Fintech Council’s (AFC) membership spans banks, non-bank lenders, payments providers, EWA providers, loan servicers, credit bureaus, and personal financial management companies.
[2] Colorado General Assembly, Senate Bill 26-189, Automated Decision-Making Technology, 75th Gen. Assemb., 2d Reg. Sess. (Colo. 2026), [3] https://leg.colorado.gov/bills/sb26-189.
[3] Consumer Financial Protection Bureau, Equal Credit Opportunity Act (Regulation B), 12 C.F.R. pt. 1002 (2026), https://www.ecfr.gov/current/title-12/chapter-X/part-1002.
[4] Federal Trade Commission, “Policy Statement Concerning the Suppression of Accuracy in Artificial Intelligence Systems,” Federal Register 91, no. 128 (July 7, 2026), https://www.federalregister.gov/documents/2026/07/07/2026-13628/policy-statement-concerning-the-suppression-of-accuracy-in-artificial-intelligence-systems.
About the American Fintech Council: The mission of the American Fintech Council is to promote an innovative, responsible, inclusive, customer-centric financial system. You can learn more at www.fintechcouncil.org.