Compliance

AltFiScore is built for the regulated lending environment. This page covers the developer-facing pieces of that compliance posture — what we return in responses, what we don't store, and what your application is responsible for.

Adverse action handling

When a decision returns outcome: "declined" (or referred if you treat referrals as adverse), the response includes a decline_reasons array with ECOA-compliant reason codes and human-readable explanations:

{
  "decision_id": "f7e8d6c5-...",
  "status": "complete",
  "outcome": "declined",
  "decline_reasons": [
    {
      "code": "AA-01",
      "reason": "Insufficient cash flow stability over the last 90 days."
    },
    {
      "code": "AA-07",
      "reason": "Outstanding obligations exceed approval thresholds."
    }
  ]
}

Your application is responsible for delivering an adverse action notice to the consumer within the timelines required by ECOA (typically 30 days for credit applications). AltFiScore provides the reason codes; you generate and deliver the notice through your existing notification infrastructure (mail, secure portal, email per your state-specific requirements).

Reason code stability

AltFiScore's reason codes are stable across releases. Once a code is published in our reference, its meaning will not change. New codes may be added; existing codes will not be repurposed.

Codes follow the AA-NN format (e.g. AA-01, AA-07), mapped to the standard ECOA reason taxonomy.

PII handling

AltFiScore is built around minimum-PII principles. What we collect and what we don't:

• Encrypted in transit — every API request uses TLS 1.2+
• Encrypted at rest — all PII fields (SSN, DOB, address) encrypted with AES-256
• Redacted in our logs — request bodies in our internal API logs have PII fields masked. Your full request body never appears in our log aggregators or third-party monitoring tools.
• Tenant-isolated — your consumers' data is logically isolated from every other tenant's data. We never share, sell, or aggregate across tenants.

Data retention

Decisions and applications are retained for seven years from the date of decision to support FCRA retention requirements and your regulatory examination needs. Raw upstream data (e.g., Plaid transactions) has shorter retention windows configurable per tenant.

You can export your tenant's data at any time via the lender portal or request a complete data deletion within 30 days of leaving the platform.

Certifications

AltFiScore maintains the following certifications and audit reports:

• SOC 2 Type II — annual audit covering security, availability, and confidentiality controls
• GLBA Safeguards Rule — covered as required for financial services data processors
• CCPA / GDPR — consumer data rights handled for California and EU residents
• FCRA — AltFiScore reports are not consumer credit reports under FCRA, but the platform respects FCRA conventions and provides codes compatible with FCRA-compliant notice generation

Audit reports are available under NDA. Contact sales@altfiscore.com to request.

Your obligations as the lender

AltFiScore handles the decisioning math. As the lender consuming the API, you remain responsible for:

• Consumer-facing TILA disclosures — we generate the disclosure block, you present it to the consumer at the right moment in your flow
• Adverse action notice delivery — we return reason codes, you deliver the notice via your established channel
• State licensing — you must be licensed to lend in any state where you originate loans. AltFiScore's state-specific caps will flag violations but cannot substitute for proper licensing
• BSA/AML obligations — OFAC and sanctions screening can be enabled in AltFiScore policies, but final SAR/CTR responsibilities remain with you
• Your privacy policy — disclose to consumers that AltFiScore is part of your decisioning stack

Next steps

• Review error responses (declines are not errors)
• Set up key rotation
• Request audit reports — contact sales@altfiscore.com