Colorado recently upended its landmark artificial intelligence legislation, just a month before the bill’s effective date and with days left in the legislative session. Senate Bill 26-189 (SB 189) repeals and replaces Senate Bill 24-205, the 2024 law that first established Colorado’s AI legislative framework, with a substantially narrowed scope, and pushes back the effective date to January 1, 2027. SB 189 contains a restructured set of requirements and limits the scope of application to automated decision-making in consequential decisions.
SB 24-205 was significant in its potential impact to financial institutions, with a murky exemption for financial institutions subject to substantially similar obligations and regulatory oversight. However, SB 189 entirely eliminates that exemption.
While SB 189 will impose less burdensome obligations on financial institutions than those in the 2024 law, the fact that it pulls regulated entities into its scope unambiguously by eliminating the limited exemption from SB 24-205 marks a new era in state AI laws for financial institutions.
Key changes from the 2024 law
Terminology
The most noticeable change between the old and new Colorado bills is the terminology and framing.
The prior law applied to “high-risk artificial intelligence systems,” which were defined broadly to encompass any AI system that, when deployed, makes, or is a substantial factor in making, a consequential decision. SB 189 replaces this framework with a more technology-neutral concept and terminology lifted from privacy regulations: “automated decision-making technology” (ADMT), which is defined as a technology that processes personal data and uses computation to generate output (including predictions, recommendations, classifications, rankings, scores or other information) that is used to make, guide or assist a decision, judgment or determination concerning an individual. An ADMT is subject to SB 189 when it is used to materially influence a consequential decision, which is generally a decision that impacts a consumer’s access, eligibility or opportunity to receive, among other things, a financial or lending service or insurance pricing or coverage (covered domains).
A “consequential decision” includes decisions that relate to a differentiated price, cost sharing, compensation or other material terms in a manner reasonably likely to materially limit, delay, effectively deny or otherwise fundamentally alter the consumer’s access, eligibility or opportunity for a covered domain. Relevant to financial institutions, SB 189 includes a handful of narrow exemptions:
- Activities relating to technologies used for cybersecurity, spam and robocall filtering, system reliability, and anti-money laundering and counter-terrorist financing controls.
- Activities relating to technologies used for sanctions compliance, excluding facial recognition unless its sole purpose is to confirm an individual’s identity.
- Activities relating to technologies used for fraud prevention, including identity verification, consumer identification, monitoring and reporting controls required under state or federal law.
While these carve-outs may offer relief for certain core financial services activities, just as in the prior version of the law, there is no entity- or data-level exemption for the Gramm Leach Bliley Act (GLBA) under SB 189. This means that the use of ADMT as part of the offering of financial, lending or insurance products or services to consumers is likely to be within scope of SB 189.
Reduced compliance obligations
SB 189 eliminates several of the most operationally burdensome requirements from SB 24-205, including:
- Anti-discrimination duty. Developers and deployers were required to use “reasonable care” to protect consumers from known or reasonably foreseeable risks of “algorithmic discrimination.”
- Impact assessments. Deployers were required to complete a detailed impact assessment before deploying a high-risk AI system and at least annually thereafter.
- Risk management policy. Deployers were required to implement a formal risk management policy and program governing each high-risk AI system deployment.
- Public website disclosures. Deployers were required to post on their website a statement summarizing all deployed high-risk AI systems and how they managed algorithmic discrimination risks.
- Reporting to the Colorado attorney general. Deployers discovering algorithmic discrimination were required to notify the attorney general within 90 days of discovery.
- Bank/credit union exemption. Banks, credit unions and their affiliates could claim full compliance if subject to regulations or an examination by a state or federal prudential regulator under guidance substantially equivalent to or more stringent than SB 24-205’s requirements.
What’s new and relevant to financial institutions
Limited disclosure safe harbor
A financial institution that is required to provide, and does provide, a notice to a consumer under the Equal Credit Opportunity Act (ECOA) and its implementing Regulation B, and where applicable under the Fair Credit Reporting Act (FCRA), complies with the notice and disclosure requirements of SB 189 for the same decision or adverse outcome. Functionally, this means that financial institutions that provide adverse action notices under ECOA or FCRA can leverage those existing structures, rather than providing redundant or duplicative notices to satisfy SB 189.
No mandatory disclosure where prohibited by law
SB 189 does not require a disclosure, explanation or furnishing of information to a consumer to the extent doing so would be prohibited by federal law (including the GLBA) or would compromise the confidentiality or integrity of cybersecurity, fraud prevention, anti-money laundering, counter-terrorist financing or economic sanctions compliance programs. Functionally, this means that the content of disclosures and notices can be limited in terms of level of detail or the provision of personal data, where these countervailing obligations take over.
Broader exemptions
While AI-assisted decisions involving financial or lending services fall within the law’s covered domains, SB 189 offers practical exemptions for tools used for anti-money laundering compliance, sanctions screening, fraud prevention and identity verification.
Practical takeaways for financial institutions
For financial institutions, the compliance burden under SB 189 generally is substantially lighter than under SB 24-205. The new statute eliminates several of the prior regime’s most demanding features, including mandatory risk management policies, annual impact assessments and reporting obligations to the attorney general. In their place is a more targeted set of requirements focused on consumer-facing obligations, including website disclosures, post-adverse outcome notices within 30 days, meaningful human review upon request and record retention for three years. However, due to the elimination of SB 24-205’s narrow bank and credit union exemption, regulated financial institutions can no longer assume that existing examination or regulatory frameworks may place them outside the law’s reach.
With the January 1, 2027, effective date approaching, financial institutions should begin preparing now. The attorney general is required to issue rules clarifying post-adverse outcome disclosure requirements and consumer rights by that date, and those rules may provide important sector-specific direction. In the meantime, institutions can begin identifying and mapping the AI tools they use in consequential decisions that may be within scope of SB 189.