FCRA · ECOA · CFPB Circulars 2022-03 / 2023-03 / 2024-04

Specific reasons.
Cryptographically signed.
Per decision.

CFPB Circulars 2022-03 / 2023-03 / 2024-04 + Reg B § 1002.9(b)(2) compliance, without the 0.5–1 FTE. AttestProto signs each adverse-action decision and auto-maps the citation, 30-day notice, and human-review pathway.

Generate one signed decision →View on GitHub
the cost of the gap

Compliance VPs spend 0.5-1 FTE rebuilding adverse-action paperwork that should be automatic.

Specific-reasons disclosure

Reg B § 1002.9(b)(2) requires the principal reasons for adverse action. "AI denied" doesn't qualify. CFPB has said so three circulars in a row.

30-day notice + human review

Section 1002.9(a) requires written notice within 30 days. Mapping the AI decision to a human-reviewable record is hand-rolled at most fintechs.

Cross-jurisdiction overlay

Add Colorado AI Act, GDPR Article 22 (EU customers), state UDAP analogues. Your team rebuilds the same compliance bundle four ways.

how it works

Sign the decision. Auto-map to the citation. Done at decision time, not month-end.

# underwriter side — every credit decision $ attestproto sign \ --agent credit-model-v7 \ --tool decision.adverse \ --input '{"applicant_id":"...","factors":[...],"score":612}' \ --out adverse-2026-05-05-a-2731.json # compliance side — auto-map to citations $ attestproto map \ --rules fcra-1681m,ecoa-reg-b-1002.9,gdpr-art-22,cfpb-circ-2022-03 \ --bundle adverse-q1.tar.gz # 1,294 decisions · 1,287 mapped clean · 7 missing specific-reasons → flagged
CFPB Circular 2022-03Creditors cannot justify noncompliance with ECOA based on the mere fact that the technology they use to evaluate credit applications is too complicated or too opaque to understand.
Reg B § 1002.9(b)(2)The notification given to an applicant when adverse action is taken shall be in writing and shall contain a statement of specific reasons for the action taken.
try it

Sign one adverse-action decision in your browser.

No install, no account. The keypair is generated client-side and never leaves this page. Same code path as the production CLI.

Generates an Ed25519 keypair in your browser. Nothing leaves this page.
deployment

Self-hosted. Your loan-application data never leaves your infrastructure.

On-prem or VPC

Run inside your existing compliance perimeter. No vendor SaaS round-trip with PII.

Append-only ledger

Hash-chain integrity. Decision history is tamper-evident; regulator examination is straightforward.

4-8× ROI vs hand-rolled

0.5-1 FTE saved at fully-loaded $150-200k vs $25-50k/year licence.

Worth a 20-minute screen-share?

We'll demo the auto-mapping fire on a sample lending attestation. If it doesn't fit your stack, no follow-up.

Email Lex →Other use cases