Control 2.11: Bias Testing and Fairness Assessment
Control ID: 2.11
Pillar: Management
Regulatory Reference: Fed SR 11-7, OCC 2011-12, ECOA / Reg B (15 U.S.C. § 1691, 12 CFR Part 1002), FINRA Rule 3110, FINRA 2026 Annual Regulatory Oversight Report (AI focus), CFPB Circular 2023-03 (adverse action notices using AI), NIST AI RMF (MEASURE-2.11)
Last UI Verified: April 2026
Governance Levels: Baseline / Recommended / Regulated
Objective
Implement systematic bias testing and fairness assessment for AI agents to identify and remediate discriminatory outputs, supporting compliance with fair lending laws and regulatory expectations for AI fairness in financial services.
Why This Matters for FSI
- FINRA Rule 3110 (Supervision): Written supervisory procedures should cover AI systems used in investor communications and recommendations, including evidence of fairness review prior to deployment.
- FINRA 2026 Annual Regulatory Oversight Report: Identifies AI / generative AI as an examination priority, with explicit focus on bias, accuracy, and supervisory documentation.
- Fed SR 11-7 / OCC 2011-12 (Model Risk Management): Model validation should assess outcomes for potential disparate impact across protected classes; effective challenge by an independent function is expected for higher-risk models.
- ECOA / Regulation B (12 CFR § 1002.4): Prohibits discrimination on a prohibited basis in any aspect of a credit transaction. Applies whenever an agent influences credit, lending, account-opening, pricing, or insurance underwriting decisions.
- CFPB Circular 2023-03: Reaffirms that creditors using AI / complex models must still provide specific and accurate adverse action reasons under ECOA — opaque "black-box" justifications are not compliant.
- SEC Predictive Data Analytics proposal & Reg BI: Examinations focus on conflicts of interest and fairness in AI used for retail customer interactions; pairs with Control 2.18.
- NIST AI RMF 1.0 (MEASURE-2.11): Establishes the baseline expectation that fairness and bias of AI systems are evaluated and results documented.
ECOA Applicability
Equal Credit Opportunity Act (ECOA) and Regulation B requirements apply specifically when AI agents influence credit, lending, account-opening, pricing, or insurance underwriting decisions. For agents not involved in these functions, focus on FINRA Rule 3110 supervision, SR 11-7 / OCC 2011-12 model risk requirements, and SEC Reg BI fairness expectations. State fair lending laws may extend protected classes (e.g., sexual orientation, gender identity, military status) — consult legal counsel.
Control Description
This control establishes a bias-testing and fairness program through:
- Protected Class Identification — Define classes per ECOA (race, color, religion, national origin, sex, marital status, age, receipt of public assistance, good-faith exercise of Consumer Credit Protection Act rights) plus any state-law additions.
- Fairness Metrics — Combine outcome-rate measures (demographic parity, disparate impact ratio / four-fifths rule), error-rate measures (equalized odds, equal opportunity), and probability calibration. No single metric is sufficient; selection should match the agent's use case and regulatory context.
- Test Dataset Construction — Build representative test datasets that span protected classes, with documented methodology and statistical power calculations. Synthetic data is preferred over production customer data to manage privacy risk under GLBA Safeguards Rule.
- Bias Detection Procedures — Run agent outputs across demographic groups, classify outcomes against pre-defined criteria, and apply statistical significance testing (chi-square, Fisher's exact, regression) before declaring pass/fail.
- Remediation Workflow — Triage findings by severity, apply system-prompt or knowledge-source changes, and re-test before redeployment. Material model changes invoke re-validation under SR 11-7 effective challenge.
- Independent Validation (Zone 3) — A function independent of the model owner reviews methodology, results, and remediation, consistent with SR 11-7 effective-challenge expectations.
- Audit-Defensible Evidence — Retain test inputs, raw outputs, statistical analysis, sign-offs, and remediation history in storage configured for WORM retention (per SEC 17a-4(f) / FINRA Rule 4511 record-keeping requirements).
This control aligns with NIST AI RMF MEASURE-2.11 (fairness and bias evaluated and results documented) and is a required component of the model-risk lifecycle defined in Control 2.6.
Related Automation
See Control 2.18 for the complementary Conflict of Interest Testing solution. No dedicated bias-testing automation package is currently published for this control; the playbooks below describe the implementation pattern using PowerShell, Power Automate, and Power BI.
Key Configuration Points
- Define protected classes relevant to the agent's use case (ECOA + state-specific) and document the rationale for any class scoped out.
- Create fairness test datasets with representative demographic distribution and documented sample-size / statistical-power justification.
- Establish baseline fairness metrics before deployment, including the disparate-impact ratio (four-fifths rule) for any agent that influences credit, lending, hiring-adjacent, or pricing decisions.
- Configure automated bias testing in the CI/CD or release pipeline for Zone 3 agents; gate production promotion on test results.
- Set remediation SLAs by severity: Critical (24 hours), High (7 days), Medium (30 days). Material model changes trigger re-validation under SR 11-7.
- Capture audit-defensible evidence (test inputs, raw outputs, statistical analysis, SHA-256 manifest) in WORM-configured storage.
- Schedule recurring bias assessments — quarterly minimum for Zone 3, after every material change, and on protected-class data refreshes.
- Require independent validation sign-off for Zone 3 agents before production deployment and on each quarterly cycle.
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Awareness training; report suspected bias; annual review | Low external impact, basic awareness needed |
| Zone 2 (Team) | Pre-deployment bias testing; documented assessment; quarterly review | Shared agents warrant structured testing |
| Zone 3 (Enterprise) | Comprehensive fairness assessment; automated monitoring; independent validation; remediation SLAs | Customer-facing requires rigorous bias controls |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| AI Governance Lead | Define testing requirements, oversee fairness program, approve methodology |
| Model Risk Manager | Provide independent challenge of methodology and results (SR 11-7) |
| Data Science Team | Develop fairness metrics, execute statistical analysis, document methodology |
| Compliance Officer | Validate regulatory alignment, sign off on ECOA / Reg B applicability scoping |
| Agent Owner | Remediate identified bias, implement corrective actions, request re-validation |
| Purview Compliance Admin | Configure WORM retention for fairness evidence (SEC 17a-4 / FINRA 4511) |
Related Controls
| Control | Relationship |
|---|---|
| 2.6 - Model Risk Management | Bias testing is a required component of model validation under SR 11-7 |
| 2.5 - Testing & Validation | Fairness testing is integrated with broader QA gates |
| 2.18 - Conflict of Interest Testing | Complementary testing for recommendation bias (COI Testing Framework) |
| 3.10 - Hallucination Feedback | Bias-related findings feed quality and feedback management |
| 3.3 - Compliance and Regulatory Reporting | Bias-testing evidence rolls up into FINRA / SEC examination reporting |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- Protected classes documented per ECOA and applicable state law, with rationale for any class scoped out
- Fairness test dataset includes representative demographic distribution with sample-size justification
- Baseline fairness metrics established and documented (demographic parity, equalized odds, calibration, disparate-impact ratio)
- Bias testing executed before every Zone 3 agent deployment and on each quarterly cycle
- Bias assessment report includes statistical significance testing (chi-square / Fisher / regression) and disparate-impact ratio against the four-fifths rule
- Independent validation sign-off recorded for Zone 3 agents (SR 11-7 effective challenge)
- Evidence retained in WORM-configured storage with SHA-256 integrity manifest for the FINRA / SEC retention period
Additional Resources
- Federal Reserve SR 11-7: Model Risk Management
- OCC 2011-12: Sound Practices for Model Risk Management
- CFPB Circular 2023-03: Adverse action notices when using AI / complex algorithms
- NIST AI RMF 1.0 (MEASURE function)
- FINRA 2026 Annual Regulatory Oversight Report — AI examination priorities
- Microsoft Learn: Responsible AI in Copilot Studio
- Microsoft Responsible AI Toolbox (Fairlearn)
- EEOC Uniform Guidelines: four-fifths rule (29 CFR § 1607.4(D))
Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Current