v0.1 · MIT-licensed · self-hosted

The CFPB Circular 2022-03 attestation layer your AI lending stack didn't ship with.

Per-decision Ed25519 attestations, auto-mapped to FCRA § 1681m, Regulation B § 1002.9(a)+(b)(2), CFPB Circular 2022-03, GDPR Article 22, and Colorado AI Act § 6-1-1702. One tool. Five frameworks. All-or-nothing audit trail.

★ Get the toolkit on GitHub Book a 20-min screen-share →

Why this matters in 2026

CFPB Circular 2022-03 made it explicit: when AI/ML drives a credit decision, "checkbox" reasons aren't enough. The creditor must disclose the specific factors that drove the denial — and the creditor must be able to prove they did so.

Circular 2023-03 reaffirmed it. Circular 2024-04 extended scrutiny to alternative data and embedded scoring. A single CFPB enforcement letter or class-action under ECOA costs $5-50M and 6-18 months of legal exposure.

Most AI lending stacks ship without a verifiable per-decision audit trail. AttestProto fills that gap.

Who this is for

You're a Chief Risk Officer, VP of Compliance, or Head of Engineering at:

A Series B-D AI lending fintech (Upstart, Petal, Pagaya, Affirm-class)
An embedded-finance platform offering credit on top of a B2B SaaS
A consumer-finance app using ML scoring on alternative data
A lender deploying generative-AI agents in underwriting workflows

Your in-house engineering team has been writing per-decision logging "good enough for an audit" for 6+ months. It's costing 0.5-1 FTE ($150-200k/year fully loaded). And nobody's certain it'll satisfy CFPB if the agency knocks.

What the toolkit auto-maps

FCRA § 1681m(a)

Adverse action notice on every denial. Automatically high-severity if the notice tag isn't claimed.

FCRA § 1681e(b)

"Maximum possible accuracy" procedural evidence captured per decision.

Regulation B § 1002.9(a)

30-day notification timing tracked per attestation.

Regulation B § 1002.9(b)(2)

"Statement of specific reasons" — required disclosure flagged automatically when missing.

CFPB Circular 2022-03

Detects fully-redacted denials and flags them as high severity — exactly the pattern the Circular targets.

GDPR Article 22

Automated-decision-making + right to human review for any EU consumer in your funnel.

Colorado AI Act

SB 24-205 § 6-1-1702 + § 6-1-1703 — high-risk duty + consumer disclosure (effective Feb 1, 2026).

EU AI Act Annex III(5)(b)

Lending is a designated high-risk category. Article 12 logging, Article 14 oversight, Article 17 QMS — all auto-tagged.

Multi-framework single-pass

One attestation produces simultaneous evidence for all the above frameworks. No bespoke per-framework instrumentation.

30-second example — what your auditor sees on a denial

$ attestproto compliance loan-denial-2026-05-04.json --json
[
  {
    "framework": "fcra",
    "citation": "15 U.S.C. § 1681m(a) (adverse action notice)",
    "severity": "high",
    "detail": "Adverse lending decision without FCRA § 1681m(a) notice tag; § 1681m(a) requires notice to the consumer."
  },
  {
    "framework": "ecoa-reg-b",
    "citation": "12 CFR § 1002.9(b)(2) (statement of specific reasons)",
    "severity": "high",
    "detail": "Adverse credit decision without § 1002.9(b)(2) tag; ECOA requires disclosure of SPECIFIC reasons (generic 'AI scoring' is insufficient per CFPB Circular 2022-03)."
  },
  {
    "framework": "cfpb",
    "citation": "Circular 2022-03 (AI/ML credit-decision specificity)",
    "severity": "medium",
    "detail": "Lending denial with fully-redacted input data; CFPB Circular 2022-03 requires the creditor be able to disclose the specific factors used."
  },
  {
    "framework": "gdpr",
    "citation": "Article 22(3) (right to obtain human intervention)",
    "severity": "medium",
    "detail": "Automated decision without 'gdpr-22-human-review-available' tag; Article 22(3) requires meaningful human review on request."
  },
  {
    "framework": "colorado-ai-act",
    "citation": "C.R.S. § 6-1-1703 (consumer disclosure)",
    "severity": "medium",
    "detail": "High-risk decision without 'colorado-ai-act-disclosure-sent' tag; § 6-1-1703 requires advance consumer disclosure."
  }
]

Once your stack emits the right reputation tags (fcra-1681m-notice-sent, regb-9b2-reasons-disclosed, etc.) — and uses fields-redacted rather than full redaction — the high-severity findings drop to silence and the audit package is clean.

What this is NOT

Not legal advice. Your counsel must review the rule mappings before relying on them.
Not a credit-decisioning model. We don't replace your underwriting; we attest to whatever decision your stack already makes.
Not closed source. MIT-licensed, no telemetry, no callhome. If we disappear tomorrow, you keep running.

Get the toolkit

★ Star + clone on GitHub Read the lending rules 20-min screen-share →

AttestProto is built by Lex Oleksiienko (Calgary, AB). Open source, MIT. Not legal advice. The compliance rules engine implements the publicly- available text of FCRA, ECOA Regulation B, CFPB Circulars, and the Colorado AI Act; consult your firm's counsel before relying on it for customer-facing disclosures or audit deliverables.