Colorado SB 26-189 for Banks and Lenders: The ADMT Framework Replacing the 2024 AI Act and What is Due by January 2027

The Colorado Statute Was Replaced Before It Took Effect

Senate Bill 26-189, signed by Governor Polis on May 14, 2026, repeals and reenacts the provisions of the 2024 Colorado AI Act (SB 24-205) at C.R.S. §§ 6-1-1701 through 6-1-1707 and replaces them with a narrower framework that takes effect January 1, 2027. The substance changed, not just the section numbers. The "high-risk artificial intelligence system" vocabulary is gone, the algorithmic-discrimination prohibition is gone, the reasonable-care duty is gone, the rebuttable presumption tied to the NIST AI RMF is gone, and the annual impact-assessment regime is gone. What replaced them is a disclosure-and-recourse statute built around "automated decision-making technology" (ADMT) used in consequential decisions, with the Colorado Attorney General as the sole enforcer and no private right of action.

The institutions we work with that were building the SB 24-205 program through the first quarter of 2026 are not throwing that work away, because much of it is still good model-risk hygiene. They are reorienting the deliverables list to the SB 26-189 obligations a Colorado AG sweep will actually measure them against. The post below is the version of the program we are running with banks and non-bank lenders on Colorado consumer portfolios for the January 1, 2027 turn-on.

The Definition That Decides Whether the Agent Is In Scope

SB 26-189 regulates "covered ADMT," which the act defines as automated decision-making technology that processes personal data using computation to generate predictions, scores, rankings, or classifications and that materially influences a consequential decision about a consumer. The "materially influences" test is the operative one for an institution that has a human in the loop and assumes that suffices to put the agent out of scope. It does not. A pricing model whose recommendation the desk almost always accepts, an early-default scoring model the servicer acts on, and a loan-officer recommendation engine that ranks applications all materially influence the decision a person formally records, and each one is covered ADMT under the act.

The consequential-decision domains at C.R.S. § 6-1-1701 are seven: employment, education, residential real estate, financial or lending services, insurance, health care, and essential government services. Financial or lending services is the domain that matters for the institutions we serve, and the rule reaches the consumer's access to, eligibility for, selection for, or compensation in those services. So underwriting, pricing, credit-limit changes, line-of-credit decisions, and loss-mitigation eligibility are squarely in scope, and the rule applies based on the consumer being a Colorado resident rather than on the institution being a Colorado entity.

What Is Not in the New Law and Why That Changes the Program

The drop from the 2024 framework is substantial enough that a program built only against the old text is now misaligned in both directions.

The act no longer prohibits algorithmic discrimination, no longer requires deployers to use reasonable care against it, no longer creates a rebuttable presumption tied to a recognized risk-management framework, and no longer requires an annual impact assessment of high-risk systems with a ninety-day refresh on intentional modifications. The AG self-disclosure obligation for discovered algorithmic discrimination is also gone. The institutions that built a SB 24-205-style impact-assessment binder are not in compliance trouble for having one, but those artifacts are no longer required deliverables under Colorado law.

What remains essential is fair-lending testing under federal law. ECOA, Regulation B, HMDA, and the Fair Housing Act did not change because SB 26-189 dropped the state-level discrimination duty, and the CFPB's August 2024 guidance and the federal banking agencies' 2025 fair-lending posture still expect the bank to test AI-driven credit and pricing decisions for disparate treatment and disparate impact. We continue to operate the fair-lending file we wrote about separately, because the federal exposure was never the part of SB 24-205 that justified building it, and dropping the state duty did not change the federal one. The Colorado-specific addition that was the 2024 act's reach into reproductive-health status, limited English proficiency, and other state-listed categories is no longer a state legal requirement, but several of those categories overlap fair-lending proxies our customers test against anyway.

What Is in SB 26-189 and What the Program Has to Produce

The replacement framework concentrates the deliverables around the consumer's experience at the moment of the decision and immediately afterward.

The deployer of a covered ADMT has to give the consumer clear and conspicuous notice at the point of interaction that an automated decision-making technology is being used or will be used in connection with a consequential decision, and the notice has to be in plain language. The institutions we serve are rendering this from the same customer-disclosure registry that controls Regulation B, Regulation Z, and ECOA notices, because a separate disclosure system that the Colorado notice runs on is a separate system that will eventually diverge from the rest of the disclosure stack.

If the covered ADMT contributes to a consequential decision that produces an adverse outcome for the consumer, the deployer has to provide a plain-language description of the decision, the ADMT's role in it, the principal factors behind the output, instructions for how the consumer can request additional information, and an explanation of the consumer's rights, within thirty days of the adverse outcome. The thirty-day window is the operative clock, and the substantive content overlaps the Regulation B 1002.9 adverse-action notice an ECOA program already produces. The operationally honest version of this is to extend the existing adverse-action notice rather than to build a parallel Colorado-only disclosure, because a credit decision that triggers both notices and produces two documents that disagree is a problem the AG will find before the consumer does.

The consumer has the right to request meaningful human review and reconsideration of a covered ADMT decision that resulted in an adverse outcome. "Meaningful" is the qualifier doing the work in the statute. The reviewer has to be a trained person with the authority to approve, modify, or override the decision; the reviewer has to consider relevant evidence the consumer submits rather than defaulting to the model output; and the reviewer has to have enough context about the system's intended use, limitations, inputs, and main factors to actually assess the determination. A program that routes the appeal to a representative whose only option is to confirm the model is not a meaningful human-review program, and the AG's office has signaled in its rulemaking docket that this is the obligation it intends to test first.

The consumer also has the right to request the personal data the covered ADMT used and to correct factually incorrect personal data, which threads into the institution's existing data-subject-rights program under the Colorado Privacy Act. The connection is real because the data-subject-rights queue is the operational system the correction flows through, and a program that builds a separate ADMT-correction inbox is one that loses cases between the two queues.

The developer of a covered ADMT has to provide each deployer with technical documentation describing the system's intended uses, the categories of personal data used in training, known limitations, and instructions for appropriate use and human review, and the developer has to notify deployers of material updates. For institutions that purchase rather than build, the developer-documentation deliverable is a contractual one we put into the vendor agreement and verify before deployment. A vendor that cannot produce a SB 26-189 developer disclosure is not a vendor the bank can deploy on Colorado consumer accounts after January 1, 2027.

Both developers and deployers have to retain records sufficient to demonstrate compliance with the act for at least three years. The retention clock and the file structure are what the AG will pull on a sweep, and the institutions we serve are aligning the retention with the existing record-retention schedule for the underlying consumer-finance workflow rather than building a parallel SB 26-189 archive.

The Exemptions Financial Institutions Actually Get and the Ones They Do Not

The new act narrowed the exemptions a federally regulated financial institution might have leaned on under the 2024 framework. There is no entity-level GLBA exemption in SB 26-189, which means a bank, credit union, or non-bank lender deploying a covered ADMT to a Colorado consumer is in scope regardless of its federal regulator. The Cooley analysis and the Norton Rose Fulbright analysis on the revised act's reach into financial institutions both make this point plainly, and the institutions our customers consulted with have confirmed it in their internal assessments.

What the act does provide is a federal-law conflict carve-out that allows the deployer to withhold disclosures or explanations to the extent that providing them would violate federal law, including the GLBA, or would compromise the integrity of a cybersecurity, fraud-prevention, anti-money-laundering, counter-terrorist-financing, or economic-sanctions program. The act also provides functional exemptions for ADMT used in AML compliance, sanctions screening, fraud prevention, and identity verification, which match the workflows the financial-crime team runs and which the act recognizes are not in the same posture as a credit or pricing decision. We treat these exemptions as scoped to their stated purpose; an ADMT used for both fraud detection and credit decisioning is exempt for the fraud half and in scope for the credit half, and the program has to keep those workflows architecturally separable to claim the carve-out cleanly.

How the SB 24-205 Work Maps to the SB 26-189 Deliverables

A bank that was building toward SB 24-205 has produced artifacts that do not disappear in value just because the duty changed. The mapping we are running with customers is concrete.

The fair-lending testing the 2024 program required against the broadened Colorado protected-characteristic list is still useful as fair-lending testing under federal law, and the ECOA-and-FHA program absorbs the elements that overlap. The categories specific to Colorado that have no federal analog (reproductive-health status, for example) are no longer state legal requirements but remain optional dimensions some institutions are keeping in the testing suite.

The impact assessment is no longer required, but the inventory and documentation work that produced it feeds the new developer-and-deployer documentation duty, the consumer notice content, and the record-retention obligation. We extract the system descriptions, training-data categories, known limitations, and intended-use statements from the prior impact assessment and load them into the deliverables the new act actually asks for.

The risk-management program is no longer required by Colorado, but the model-risk hygiene it produced still satisfies SR 11-7 and the NIST AI Risk Management Framework that the federal banking agencies' guidance still references. So the program stays, retitled.

The new pieces that the SB 24-205 program did not produce, and that the SB 26-189 program has to add, are the pre-decision notice at the point of interaction, the thirty-day adverse-outcome explanation, the meaningful human-review and reconsideration path, the data-correction flow tied into the existing privacy-rights queue, the developer disclosures from purchased systems, and the three-year retention scheme. These are the items we are sequencing for our customers' January 1, 2027 readiness.

Enforcement, Rulemaking, and Why the Bar Is Still Real

The Colorado AG is the sole enforcer under the reenacted act, and there is no private right of action for SB 26-189 itself. Violations are deceptive trade practices under the Colorado Consumer Protection Act, which means the AG's remedies and the penalty structure already familiar to consumer-finance counsel apply. The AG's rulemaking authority survived the reenactment, and the rulemaking docket the AG's office opened in 2025 under SB 24-205 has been reframed to the new statute; rules implementing the notice, the human-review standard, and the developer-documentation obligations are the ones the institutions we serve are tracking most closely.

The absence of a private right of action does not lower the bar to the institutions whose business is on the Colorado consumer base. The AG's office has signaled that high-volume consumer-facing institutions will be the first targets of any sweep, and consumer-finance institutions are at the top of that list. The reasonable working assumption is that the first AG inquiries land within months of January 1, 2027, and that institutions in the sweep will be asked to produce the consumer notices, the adverse-outcome explanations, the human-review records, the data-correction logs, the developer documentation for any third-party systems, and the three-year retention scheme that supports it all. A program that produces this on request is not the program the inquiry escalates against.

The Failure Mode We Are Engineering Against Now

The pattern we are watching for under the new framework is the program that produces the pre-decision notice and the thirty-day adverse-outcome explanation as separate documents from the institution's existing Regulation B adverse-action notice, with the result that the two say different things about the same decision. The Colorado notice says the principal factors were income, debt-to-income, and an automated risk score; the federal adverse-action notice says the principal reasons were the same three but in slightly different language, generated by a different system, against a slightly different snapshot of the same data. A consumer who reads both, an AG who pulls a sampled set of them, and a plaintiff's lawyer who wants to argue federal-law discrepancy each find the seam between them. The operational answer is one renderer, one source of truth, both notices produced from the same data with the SB 26-189-specific elements added to the Regulation B notice template rather than running parallel.

The second pattern is the human-review path that exists on the org chart but defaults to confirm. The trained reviewer with authority to override has to actually receive the consumer's submitted evidence, has to have time to consider it, and has to produce a written determination with the basis. A queue that disposes of a Colorado human-review request in two minutes per case with a templated affirmance is the queue the AG will read against the "meaningful" standard in the rule.

The Audit File the Colorado AG Will Ask For After January 2027

The file we are designing for SB 26-189 compliance per covered ADMT in scope includes the registry entry for the system with the description, the intended uses, the categories of training data, the known limitations, and the version history; the developer documentation for purchased systems with the dates and the change log; the pre-decision notice text rendered for each interaction with the consumer-facing language and the timestamp; the adverse-outcome explanation produced for each adverse decision with the thirty-day clock measurement; the human-review case file per request with the reviewer identity, the evidence considered, the determination, and the basis; the personal-data access-and-correction case file integrated with the Colorado Privacy Act response queue; the records of any reliance on the AML, sanctions, fraud, or identity-verification exemptions with the scoping rationale; and the three-year retention attestation for the underlying records.

A program that can produce this per request is the program that demonstrates compliance with the act. A program that has to reconstruct any of it is the program the inquiry stays open against.

The Honest Read on What Changed and What Did Not

The Colorado AG asked the legislature for a framework that was enforceable rather than aspirational, and the legislature delivered one that lands on the consumer-facing artifacts the office can actually review. The bar for institutions is narrower and more concrete. The duty to test for and prevent algorithmic discrimination did not survive the reenactment as Colorado law, but the federal fair-lending duty did not depend on it and is unchanged. The duty to produce annual impact assessments did not survive either, but the model-risk practice the impact assessment depended on still serves the SR 11-7 program. The duties that did land are the ones that show up to the consumer: a notice before, an explanation after, a real person available to reconsider, and a way to fix the data the system used. A program built for those is the program the January 1, 2027 turn-on will measure on. The institutions that are reorienting now have time. The ones that wait for the AG to send the first set of requests will find that the file the request asks for takes longer to build than the response window allows.