← AI 101

Advanced training

Compliance, Fair Lending, and Audit Trails

Every AI workflow in the prior modules — sales communications, the engine, committee propagation, pipeline acceleration — only ships if it survives an exam. This module is the audit layer that turns "AI moved fast" into "AI moved fast and stayed compliant."

19 minutes Builds on Module 4.4 Includes compliance lens

Start here

What you'll be able to do after this lesson

Name the regulatory surface

List the regulations every GMFS AI workflow must satisfy — TRID, RESPA, ECOA, fair lending, and the state-specific obligations layered on top.

Design audit trails on by default

Spec an audit trail that Claude and the agent layer preserve automatically — input, output, timestamp, model version, human reviewer — without anyone having to remember to log it.

Spot fair-lending risk patterns

Recognize the specific AI patterns — cycle-time disparities, language differences, automated decisioning — that introduce disparate-impact risk, and the mitigations that take them off the table.

Three compliance ideas

Boundary, trail, bias

Regulated decision surface

Some decisions cannot be AI-automated. Credit approval, denial, pricing, adverse action — these are regulated decisions a human signs. AI can summarize, surface, and sort; it does not decide.

Audit trail

Every AI-touched step traceable: input, output, timestamp, model version, human reviewer. The audit trail isn't documentation after the fact — it's the artifact the agent produces while it works.

Bias risk

AI can encode disparate impact even when no protected-class data is in the prompt. Monitoring at the portfolio level — cycle times, approval rates, exception rates — is how you catch it.

Trainer note: A faster pipeline that fails fair-lending review is a worse pipeline. Compliance is not an obstacle to AI adoption — it's the condition under which AI adoption is sustainable. Build it in; don't bolt it on.

Where the risk lives

Three surfaces, three regulatory exposures

AI-touched underwriting steps

Anything where AI summarizes, sorts, or recommends to an underwriter. ECOA, fair-lending, and CFPB mortgage rules all sit here. The mitigation is the human-decision boundary and the audit trail.

Credit

AI-drafted borrower communications

Anything that goes to a borrower or partner with AI-generated content. TRID timing, RESPA marketing rules, state-specific UDAP, and CAN-SPAM all apply. Review before send is the gate.

Communications

AI-driven decisioning agents

Agents that take actions in downstream systems — engine updates, LOS guardrails, rate-sheet propagation. Audit-trail discipline is what makes these defensible at exam time.

Agents

Compliance discipline

Five rules that keep the program defensible

Identify the regulated decision surface before designing the workflow

Before any AI workflow gets built, name the regulated decisions in it. Credit approval. Pricing. Adverse action. Disclosure timing. The regulated decisions don't move; the workflow has to fit around them.

Log every AI touch with structured metadata

Input, output, timestamp, model version, human reviewer. The log is not optional and not retroactive. If the agent isn't producing the log entry while it works, the workflow isn't ready for production.

Never let AI deny or price a loan

Two bright lines. AI surfaces, summarizes, sorts. AI does not deny credit. AI does not set price. Every denial reason and every priced rate has a human signature with an audit-trail entry.

Run periodic bias review on AI outputs

Quarterly review of cycle times, approval rates, exception rates, and complaint patterns by protected class. If the AI workflow introduces a disparity, find it before the examiner does.

Treat compliance review as a hard gate on every new AI workflow

"We'll loop in compliance after MVP" is the recipe for shipping a workflow that fails review. Compliance reviews before launch — every AI workflow, no exceptions, no exemptions for internal tools.

Prompt upgrade

Weak prompt

Decide whether to grant this credit-policy exception.

Compliance-ready prompt

Work-ready prompt

(In Cowork.) Patel loan file attached. Summarize for the credit officer: (1) the requested exception (gift funds at 60% of DP vs the 50% overlay), (2) every policy consideration in the GMFS overlay policy that touches this scenario, (3) prior similar exceptions in this file, (4) the fair-lending impact-assessment template fields the credit officer will need to complete. Do not recommend, decide, or approve — that's the credit officer's role.

Best patterns

Four compliance workflows that earn the build

Disclosure drafting & review

AI drafts initial disclosure language; compliance counsel reviews and signs off before publication. Faster drafting, same legal standard.

Complaint-response drafting

AI drafts an initial response to a borrower complaint using the file context; compliance reviews. Speeds response time without sacrificing care.

Fair-lending pattern detection

Periodic agent runs against portfolio data, surfacing approval-rate, cycle-time, and exception-rate disparities by protected class. Catches what manual review misses.

Audit-trail generation from agent logs

Agents produce structured audit entries while they work; a separate flow rolls them up into per-loan audit packages on demand. Exam-ready posture without exam-week panic.

Compliance checks

Five things to verify on every AI workflow

Regulated decisions remain human — credit approval, denial, pricing, adverse action all signed by a credentialed person Audit trail complete on every AI-touched loan — input, output, timestamp, model version, human reviewer all logged Disclosures verified by counsel or compliance before publication — every version, every state, every program Fair-lending monitoring in place — quarterly review of disparities by protected class is scheduled and documented Bias review scheduled and documented — not "we'll get to it," but a calendared review with a defined output

Employee rule: An audit-trail gap discovered at exam time is a finding. An audit-trail gap discovered during a routine internal review is a fix. The difference is whether the workflow has compliance review as a hard gate before launch — or whether it ships hoping no one looks.

Build the audit posture

Six exercises to make compliance operational

Compliance is built one workflow at a time. Use these exercises to make at least one of the Level-4 workflows you've already learned about audit-ready.

Open the compliance lens in this lesson. Read the regulatory surface for each of the four prior Level-4 workflows. Note where the AI/human boundary changes by workflow.
Map the regulatory surface for one Level-4 workflow in your area. List every regulation that touches it and the specific obligation each one creates.
Draft an audit-trail spec for that workflow. Be concrete — field names, formats, retention, who can query it.
Walk one AI-touched loan through a mock exam. Pretend you're a regulator: ask the file what it touched, when, with what input, with what reviewer. See what the audit trail actually answers.
Identify one workflow that needs a fair-lending review. Propose the bias-review design — what data, what cohorts, what cadence, what the action is if a disparity is found.
Draft a one-page "AI compliance principles" document for GMFS. Three to five principles, plain English, signed off by compliance leadership. The kind of document that goes on a wall.

Completion standard

You've finished this module when you can name the regulatory surface for any GMFS AI workflow in under a minute, design an audit trail that an examiner could read, and explain where the AI/human boundary sits and why.