Colorado Artificial Intelligence Act for Financial Services
How Colorado Artificial Intelligence Act applies to financial services organizations and the obligations to plan for.
Why this law matters for financial services
Banks, lenders, insurers, broker-dealers, and fintech firms using AI for credit decisions, underwriting, fraud detection, and consumer interaction.
Financial services decisions are a named high-risk consequential category — credit underwriting, fraud scoring affecting access to services, account-closure decisions. Deployers must run impact assessments and provide consumer disclosure for AI-driven adverse decisions. Organizations operating in Colorado should treat this law as part of the baseline regulatory obligations alongside any sector-specific federal rules.
Key obligations
- risk assessment→ deployerC.R.S. § 6-1-1703(3)
Complete an annual impact assessment of each high-risk AI system, addressing purpose, intended outputs, performance metrics, transparency measures, post-deployment monitoring, and risks of algorithmic discrimination.
Deadline: annually
- documentation→ developerC.R.S. § 6-1-1702
Provide deployers with documentation including intended uses, harmful or inappropriate uses, data summaries, performance evaluations, mitigation measures, and information necessary for deployers to complete their impact assessments.
Deadline: before_deployment
- disclosure→ deployerC.R.S. § 6-1-1703(4)
Disclose to consumers when a high-risk AI system is being used to make a consequential decision affecting them, including the system's purpose, the nature of the consequential decision, contact information, and the right to opt out where required.
Deadline: before_decision
- consumer right→ deployerC.R.S. § 6-1-1703(4)
Provide consumers with a right to correct incorrect personal data and a right to appeal adverse consequential decisions to a human reviewer where technically feasible.
Deadline: ongoing
Recommended next steps
- Inventory AI systems used in financial services workflows that may fall within Colorado Artificial Intelligence Act's scope.
- Map each system against the obligations above and identify the responsible role (developer vs deployer).
- Adopt a structured framework — see NIST AI RMF and ISO/IEC 42001 — to demonstrate due care and produce audit-ready evidence.
- Document obligations satisfied and gaps in a single register, refreshed at the cadence required by the law (typically annual).
We may receive referral commissions from recommended compliance tools. Recommendations are based on product fit and not on commission size. Links marked “partner link” include a tracked redirect.