Colorado Artificial Intelligence Act for Financial Services

Key obligations

• risk assessment→ deployerC.R.S. § 6-1-1703(3)

  Complete an annual impact assessment of each high-risk AI system, addressing purpose, intended outputs, performance metrics, transparency measures, post-deployment monitoring, and risks of algorithmic discrimination.

  Deadline: annually

• documentation→ developerC.R.S. § 6-1-1702

  Provide deployers with documentation including intended uses, harmful or inappropriate uses, data summaries, performance evaluations, mitigation measures, and information necessary for deployers to complete their impact assessments.

  Deadline: before_deployment

• disclosure→ deployerC.R.S. § 6-1-1703(4)

  Disclose to consumers when a high-risk AI system is being used to make a consequential decision affecting them, including the system's purpose, the nature of the consequential decision, contact information, and the right to opt out where required.

  Deadline: before_decision

• consumer right→ deployerC.R.S. § 6-1-1703(4)

  Provide consumers with a right to correct incorrect personal data and a right to appeal adverse consequential decisions to a human reviewer where technically feasible.

  Deadline: ongoing

Recommended next steps

1. Inventory AI systems used in financial services workflows that may fall within Colorado Artificial Intelligence Act's scope.
2. Map each system against the obligations above and identify the responsible role (developer vs deployer).
3. Adopt a structured framework — see NIST AI RMF and ISO/IEC 42001 — to demonstrate due care and produce audit-ready evidence.
4. Document obligations satisfied and gaps in a single register, refreshed at the cadence required by the law (typically annual).