AI Rejected Your Loan or Credit Application. What Are Your Rights?

Your rights when AI makes a credit decision about you

Credit decisions — loan applications, credit card approvals, mortgage assessments, overdraft limits, buy-now-pay-later eligibility — are among the most consequential automated decisions AI systems make about individuals. They affect housing, financial stability, and economic opportunity. Across major jurisdictions, regulators have established clear rights for individuals subject to AI-driven credit decisions. Understanding these rights matters whether you have been refused credit, given a lower limit than expected, or simply want to understand how your creditworthiness is being assessed.

European Union — GDPR Article 22 and the right to explanation

In the EU, GDPR Article 22 gives you the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects concerning you. Automatic credit refusals are explicitly covered — a bank using an AI credit scoring system to reject loan applications without any human review of that specific decision is likely violating Article 22.

On 27 February 2025, the Court of Justice of the EU confirmed in Case C-203/22 (Dun & Bradstreet Austria) that you have a genuine right to a meaningful explanation of automated credit decisions — including from credit reference agencies that provided the scoring data, not just from the lender who used it. The court confirmed that you are entitled to an explanation of the specific logic applied to your specific case, not just a general description of how the scoring system works in principle. Claiming trade secrets does not allow a company to refuse all explanation.

In practical terms, in the EU you have the right to: request that an automated credit decision be reviewed by a human; know that automated decision-making is being used and receive information about the logic involved; contest a credit decision and have your objection considered; and access the personal data used in the decision under your Article 15 right of access.

United Kingdom — changing framework under the DUAA 2025

In the UK, the legal landscape for automated credit decisions changed significantly when the Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025. The Act repeals Article 22 of the UK GDPR and replaces it with new Articles 22A-D, which permit automated decision-making by default subject to specified safeguards. Under the new framework, if a lender uses a solely automated process to make a significant decision about you, it must inform you that an automated decision has been made, give you a way to make representations, and allow you to request human review. However, the requirement for human involvement before a final decision is made — the strongest protection under the old Article 22 — now applies only where the decision involves special category data.

Even under the DUAA, the FCA's Consumer Duty and Treating Customers Fairly principles require FCA-authorised lenders to be able to explain their credit decisions. The CFPB adverse action notice model — requiring specific, accurate reasons for credit refusal — does not apply in the UK, but the FCA's fair outcomes obligation creates equivalent commercial pressure on lenders to maintain explainability.

United States — Equal Credit Opportunity Act and adverse action notices

In the United States, the primary protection for individuals subject to AI credit decisions is the Equal Credit Opportunity Act (ECOA) and its implementing regulation, Regulation B. When a lender takes an adverse action — denying credit, reducing a credit limit, or changing credit terms unfavourably — it must provide a notice explaining the specific principal reasons for the decision. This requirement applies regardless of whether AI or complex algorithmic models are used to make the decision.

The Consumer Financial Protection Bureau confirmed in 2023 guidance that model complexity does not eliminate the adverse action notice obligation. A creditor cannot use "black box" AI underwriting and then claim it cannot explain the reasons for a refusal. The CFPB has stated explicitly: "ECOA and Regulation B do not permit creditors to use a 'black-box' underwriting technology when doing so means that the creditor cannot provide specific and accurate reasons for an adverse action." If you are refused credit in the US and do not receive a clear adverse action notice with specific reasons, the lender may be in violation of ECOA.

In addition, if you believe an AI credit decision discriminated against you based on a protected characteristic — race, colour, religion, national origin, sex, marital status, age, or receipt of public assistance — you can file a complaint with the CFPB, the Federal Reserve, or the FDIC depending on the type of lender. The Fair Housing Act applies to mortgage lending and includes AI-driven mortgage decisions.

Australia — Privacy Act and credit reporting obligations

In Australia, the use of AI in credit decisions is governed by the Privacy Act 1988, the Privacy (Credit Reporting) Code, and ASIC's responsible lending obligations. Credit providers must comply with the Australian Privacy Principles in collecting, using, and disclosing personal information used in credit decisions. The Privacy Act's automated decision-making transparency obligation, effective 10 December 2026, will require APP entities to disclose in their Privacy Policies when personal information is used in substantially automated decisions that have a legal or similarly significant effect on individuals — which explicitly includes credit decisions.

If you believe an automated credit decision has been made about you in Australia, you have the right to: request access to the personal information held about you (APP 12); request correction of inaccurate information (APP 13); lodge a complaint with the OAIC if your privacy rights are not met; and under responsible lending obligations, ask a credit provider to explain why a loan was refused.

What to do if you believe an AI credit decision about you was wrong

If you have been refused credit or had credit terms changed unfavourably and believe AI was involved: first, request the specific reasons for the decision in writing. In the EU and US, lenders are legally required to provide specific reasons. Second, request access to your credit file from credit reference agencies — errors in your credit report are a common cause of incorrect automated decisions. Third, if you are in the EU, you can request human review of the decision and submit your objection in writing. Fourth, if you believe the decision was discriminatory, you can complain to the relevant regulator: the national data protection authority in your EU member state; the ICO in the UK; the CFPB in the US; or the OAIC in Australia. Fifth, request that the organisation explain what data was used and what weight was given to each factor — under GDPR Article 15, you are entitled to this information.