Adverse Action Notice Governance

2. Summary

Adverse Action Notice Governance requires that whenever an AI agent makes, recommends, or materially contributes to a decision that produces a negative outcome for a person — denial, restriction, termination, downgrade, price increase, claim rejection, or any other form of detriment — a timely, comprehensible adverse action notice is delivered to the affected party. The notice must state the reasons for the adverse outcome, the specific data or factors that influenced the decision, the affected party's rights of review or appeal, and the concrete recourse pathways available including human escalation. Without governed adverse action notices, organisations deploy autonomous agents that deny benefits, reject applications, or restrict access at scale with no structured mechanism for the affected person to understand why the decision was made or what they can do about it — creating legal exposure, regulatory violations, and systematic erosion of trust.

3. Example

Scenario A — Credit Application Denial Without Actionable Explanation: A consumer lending agent processes 14,200 credit applications per month. When an application is denied, the agent returns a one-line response: "Your application has been declined. Please contact customer service for more information." A customer whose application was denied for a £28,000 personal loan receives this message. The customer calls the service centre, where a human agent has no visibility into the AI's reasoning because the denial was generated entirely by the autonomous agent without a decision audit trail. The customer files a complaint with the financial ombudsman. Upon investigation, the regulator discovers that 3,740 denials in the prior quarter were issued with identical generic language, none referencing the specific factors that drove the decision. Under applicable consumer credit regulations, the lender is required to state the principal reasons for denial. The regulator issues an enforcement notice.

What went wrong: The agent issued adverse decisions at scale without generating individualised reason statements. The generic denial message contained no specific factors (e.g., debt-to-income ratio, credit history length, recent delinquencies), no disclosure of the data sources used, and no actionable recourse pathway. The customer service team had no access to the AI's decision logic, making the "contact customer service" instruction meaningless. Consequence: Regulatory enforcement action, £1.2 million fine, mandatory remediation of 3,740 denials including retrospective reason-code generation, and 9-month compliance monitoring programme.

Scenario B — Benefits Eligibility Denial Without Appeal Path: A public sector agency deploys an AI agent to process welfare benefits applications. The agent denies a disability benefits claim, generating an automated letter stating: "Based on our assessment, you do not meet the eligibility criteria for this benefit." The letter does not state which criteria were not met, what evidence was considered, what additional evidence might have changed the outcome, or how to appeal the decision. The applicant, who has a visual impairment, cannot access a digital appeals portal that is not mentioned in the letter. The denial is one of 8,600 automated denials issued in a 6-month period. A legal aid organisation brings a judicial review challenge, arguing that the agency has failed to provide adequate reasons for decisions and has denied access to an effective remedy.

What went wrong: The adverse action notice was generic and did not meet the requirements of administrative law for decisions affecting individual rights. The notice omitted: (1) the specific eligibility criteria failed, (2) the evidence considered, (3) the appeal deadline and process, (4) alternative accessible formats for the appeal pathway. The agent had no mechanism to generate individualised reason statements or to assess whether the notice format was accessible to the recipient. Consequence: Judicial review finding against the agency, mandatory re-processing of 8,600 denials with individualised reason notices, £2.8 million remediation cost, and suspension of automated decision-making for benefits eligibility pending governance reforms.

Scenario C — Insurance Claim Rejection Without Counterfactual Guidance: An insurance claims agent automatically rejects a £47,000 property damage claim, generating a notice stating: "Your claim has been rejected due to policy exclusions." The policyholder's claim was rejected because the agent classified the damage as resulting from gradual deterioration (excluded) rather than storm damage (covered). The notice does not state which exclusion applied, what evidence led to the classification, or what the policyholder could provide to challenge the classification. The policyholder has a structural engineer's report confirming storm damage but does not know that submitting it could reverse the decision. The policyholder retains a solicitor; the claim plus legal costs total £63,000. A pattern emerges: 1,200 similar claims were rejected in a 4-month period with identical generic exclusion language, 340 of which were subsequently overturned on appeal — suggesting the original notices were inadequate to enable self-service resolution.

What went wrong: The adverse action notice did not identify the specific exclusion, the evidence relied upon, or the type of counter-evidence that could change the outcome. The 340 reversals on appeal demonstrate that affected parties who navigated the appeals process successfully had legitimate claims — but the notice provided no guidance to enable this. The notice failed its core function: enabling the affected person to understand the decision and take informed action. Consequence: £4.1 million in unnecessary legal costs (policyholder and insurer combined across 340 reversed claims), FCA investigation into claims handling practices, reputational damage from media coverage of systematic rejection patterns.

4. Requirement Statement

Scope: This dimension applies to any AI agent deployment where the agent makes, recommends, or materially contributes to a decision that produces a negative outcome for an identifiable person or entity. Negative outcomes include but are not limited to: application denial, claim rejection, benefit termination, service restriction, access revocation, price increase, credit limit reduction, coverage exclusion, risk classification upgrade, account suspension, and any other action that diminishes the rights, entitlements, financial position, or access of the affected party. The scope covers fully autonomous decisions, semi-autonomous decisions where an agent recommends and a human rubber-stamps, and human decisions where the agent's analysis was the dominant input. If the agent's output materially influenced the adverse outcome, this dimension applies regardless of whether a human nominally approved the final decision. The scope extends to all communication channels through which adverse action notices are delivered: digital messages, emails, letters, in-app notifications, chatbot responses, and verbal communications generated or scripted by the agent.

4.1. A conforming system MUST generate an individualised adverse action notice for every decision that produces a negative outcome for an affected party, stating the specific reasons for the adverse outcome using language comprehensible to the intended audience.

4.2. A conforming system MUST include in each adverse action notice the principal factors or data elements that influenced the adverse decision, at a level of specificity that enables the affected party to understand which aspects of their situation drove the outcome.

4.3. A conforming system MUST include in each adverse action notice the affected party's rights of review, appeal, or challenge, including applicable deadlines, the process for initiating a challenge, and the body or individual responsible for handling the challenge.

4.4. A conforming system MUST include in each adverse action notice at least one concrete recourse pathway, which MUST include the option to request human review of the decision by a person with the authority and competence to overturn the original decision.

4.5. A conforming system MUST deliver adverse action notices within a defined time window after the adverse decision, not exceeding 5 business days for standard decisions or 24 hours for decisions affecting immediate access to essential services, benefits, or financial resources.

4.6. A conforming system MUST retain a complete record of each adverse action notice — including the notice content, the decision it relates to, the delivery channel, the delivery timestamp, and confirmation of delivery — for the duration required by the applicable retention policy and no less than the statutory minimum.

4.7. A conforming system MUST ensure that the adverse action notice is accessible to the affected party, accounting for known accessibility needs, language preferences, and communication channel availability as recorded in the party's profile or as required by applicable accessibility regulations.

4.8. A conforming system SHOULD include counterfactual guidance in the adverse action notice — a statement of what change in circumstances or additional evidence could lead to a different outcome — where such guidance is feasible and would not compromise system integrity.

4.9. A conforming system SHOULD implement quality assurance sampling of adverse action notices, reviewing at least 2% of notices per quarter for completeness, accuracy, and comprehensibility.

4.10. A conforming system MAY offer the affected party real-time interactive explanation of the adverse decision through a conversational interface, provided such explanation is consistent with the written notice and does not create contradictory statements.

5. Rationale

The adverse action notice is the primary mechanism through which an organisation's autonomous decision-making becomes accountable to the people it affects. When an AI agent denies a loan, rejects a claim, terminates a benefit, or restricts access to a service, the affected person is entitled — legally, ethically, and as a matter of commercial trust — to understand why. Without a structured adverse action notice, the person receives only the outcome (denial, rejection, termination) without the reasoning, and has no basis upon which to assess whether the decision was correct, challenge it if it was wrong, or take action to change the outcome.

The legal requirements for adverse action notices are well established and span multiple regulatory frameworks. In consumer credit, the Equal Credit Opportunity Act (ECOA) and its implementing Regulation B in the United States, and equivalent consumer credit directives in the EU and UK, require creditors to provide specific reasons for adverse credit decisions. In insurance, claims handling regulations require insurers to state the basis for claim denials. In public administration, principles of administrative law require decision-makers to give adequate reasons for decisions that affect individual rights. In employment, anti-discrimination frameworks require employers to be able to articulate legitimate reasons for adverse employment decisions. The EU AI Act, Article 86, establishes a right to explanation for decisions made by high-risk AI systems. GDPR Article 22 provides rights related to automated decision-making, including the right to obtain meaningful information about the logic involved.

The challenge with AI agents is scale and specificity. A human decision-maker processing 20 applications per day can write individualised reason statements for each denial. An AI agent processing 14,200 applications per month cannot rely on human-written reasons — the notice generation must be automated. But automated notice generation creates the risk of generic, template-driven notices that satisfy none of the legal or practical requirements. "Your application has been declined" is not a reason — it is a restatement of the outcome. The governance challenge is ensuring that automated notice generation produces notices that are specific, accurate, comprehensible, and actionable at scale.

The recourse pathway requirement is equally critical. A notice that explains the reasons but provides no mechanism for challenge is an informational dead end. The affected party knows why they were denied but cannot do anything about it. The human review option is particularly important for AI-driven decisions because AI systems can produce errors that are systematic and non-obvious — a misclassified data input, a stale model, a feature that correlates with a protected characteristic. Human review is the mechanism through which these systematic errors are detected and corrected. Without mandatory human review availability, an AI system's errors become permanent for every affected individual.

The timeliness requirement reflects the reality that adverse decisions have immediate practical consequences. A benefits denial affects the person's income from the day of denial. A credit denial affects a time-sensitive purchase. An insurance claim rejection leaves property damage unrepaired. Delayed notices compound the harm by preventing the person from taking timely corrective action — filing an appeal before the deadline, providing additional evidence, or seeking alternative solutions.

6. Implementation Guidance

Adverse action notice generation must be integrated into the decision pipeline, not bolted on as an afterthought. The decision that produces the adverse outcome and the notice that explains it must be generated from the same reasoning process, ensuring that the notice accurately reflects the actual decision logic.

Recommended patterns:

• Decision-reason co-generation. When the agent makes an adverse decision, the reasoning pipeline simultaneously generates the decision outcome and the structured reason statement. The reason statement is a machine-readable artefact containing: the principal adverse factors (ranked by influence), the data elements associated with each factor, and the applicable policy or rule that maps the factors to the outcome. This structured artefact is then rendered into a human-readable notice using audience-appropriate templates per AG-449 and AG-451. Co-generation ensures the reasons reflect the actual decision logic rather than a post-hoc rationalisation.
• Recourse pathway registry. Maintain a registry of available recourse pathways for each decision type, including: the review body or individual, the submission process, applicable deadlines, required documentation, and accessibility options. The notice generation system populates the recourse section from this registry, ensuring consistency and accuracy. When recourse pathways change (new appeal deadlines, new review bodies), the registry is updated once and all subsequent notices reflect the change automatically.
• Notice template governance. Maintain governed templates for each decision type and audience, with mandatory fields that cannot be omitted or overridden: reason statement, factor disclosure, rights statement, recourse pathways, and human review option. Templates are reviewed by legal, compliance, and plain-language specialists. Template changes follow a change-control process per AG-007 with mandatory sign-off. Automated validation checks every generated notice against the template to verify all mandatory fields are populated with non-generic content.
• Delivery confirmation and tracking. Implement delivery tracking for every adverse action notice: confirmation of delivery to the stated channel, timestamp of delivery, and a unique reference linking the notice to the underlying decision record. For physical mail, track dispatch and estimated delivery. For digital channels, track delivery confirmation and, where feasible, open/read confirmation. Delivery failures trigger re-delivery through an alternative channel.
• Quality assurance sampling with human review. Randomly sample generated notices for human review by compliance staff. The reviewer assesses: Is the reason statement specific to this individual's situation? Does it accurately reflect the decision factors? Is the language comprehensible to the target audience? Are the recourse pathways current and accessible? This sampling catches systematic quality degradation that automated validation cannot detect.

Anti-patterns to avoid:

• Generic reason templates without individualisation. Using the same boilerplate reason text for all denials of a given type. "Your application did not meet our lending criteria" is not an adverse action notice — it is a generic statement that could apply to any applicant. Every notice must reference the specific factors relevant to the individual decision.
• Reason codes without explanation. Providing machine-readable reason codes (e.g., "RC-042: DTI exceeds threshold") without translating them into plain-language explanations. The affected party is not a systems analyst. Reason codes are useful for internal tracking but must be accompanied by human-readable explanations.
• Recourse pathways that are technically present but practically inaccessible. Stating "You may appeal this decision through our online portal" without providing the portal URL, or providing a portal that is inaccessible to users with disabilities, or routing appeals to a queue with a 90-day response time. A recourse pathway must be practically usable, not merely formally documented.
• Post-hoc reason generation disconnected from decision logic. Generating reason statements after the fact using a separate model or process that did not participate in the original decision. Post-hoc reasons may not accurately reflect the actual decision factors and create a risk of misleading the affected party about why the decision was made.
• Notice delivery without confirmation tracking. Sending notices without verifying delivery. If the notice is never received, the adverse action is unaccompanied by reasons from the affected party's perspective, regardless of the organisation's records.

Industry Considerations

Financial Services. Consumer credit regulations impose specific adverse action notice requirements in most jurisdictions. In the US, ECOA/Regulation B requires disclosure of specific reasons for credit denial (up to four principal reasons). In the UK, the Consumer Credit Act and FCA CONC rules require similar disclosures. Financial agents must generate reason statements that meet these specific regulatory formats. The human review pathway must involve personnel with lending authority, not general customer service agents without decision-making power.

Insurance. Claims rejection notices must comply with claims handling regulations that vary by jurisdiction and line of business. Property and casualty rejections must reference the specific policy provision (exclusion, condition, or limitation) that applies. Health insurance denials have additional requirements under healthcare-specific regulations. The counterfactual guidance is particularly valuable in insurance — telling the claimant what additional evidence (e.g., a structural engineer's report) could change the outcome prevents unnecessary litigation.

Public Sector. Administrative law principles require public bodies to give adequate reasons for decisions affecting individual rights. The standard is higher than in commercial contexts: reasons must be sufficient to enable the affected person to understand whether the decision was lawfully made and to decide whether to challenge it. Accessibility requirements are stringent — notices must be available in alternative formats, languages, and through assistive technology-compatible channels. Appeal deadlines and processes must be prominently stated.

Healthcare. Coverage determinations, prior authorisation denials, and treatment restriction decisions require adverse action notices that comply with healthcare-specific regulations. Notices must be understandable to patients who may have limited health literacy. The recourse pathway must include clinical peer review by a practitioner in the same or similar specialty.

Maturity Model

Basic Implementation — The organisation generates individualised adverse action notices for every adverse decision, with specific reason statements referencing the principal decision factors. Notices include a recourse section with at least one review pathway including human review. Notices are delivered within the defined time window. Notice records are retained with linkage to the underlying decision. This level meets the mandatory requirements of 4.1 through 4.7.

Intermediate Implementation — All basic capabilities plus: notices include counterfactual guidance where feasible. Quality assurance sampling reviews at least 2% of notices per quarter. A recourse pathway registry ensures consistency across decision types. Notice templates are governed with mandatory-field validation. Delivery confirmation tracking verifies receipt. Notice generation is integrated into the decision pipeline through co-generation rather than post-hoc assembly.

Advanced Implementation — All intermediate capabilities plus: real-time interactive explanation is available for affected parties who want deeper understanding of the decision. Notice quality metrics (appeal success rates correlated with notice specificity, comprehension testing with representative users) drive continuous improvement. Multi-jurisdictional notice generation automatically adapts content, format, and recourse pathways based on the applicable jurisdiction. Accessibility testing with assistive technologies is conducted regularly. Independent audit of notice quality and completeness is performed annually.

7. Evidence Requirements

Required artefacts:

• Notice template inventory. Documentation of all adverse action notice templates in use, showing mandatory fields, audience specifications, and the governance process for template changes.
• Sample notice records. A representative sample of generated adverse action notices (minimum 50 per quarter per decision type) with the linked decision records showing the reasoning that produced each notice. Redacted for personal data where required by privacy regulations but retaining the structure and specificity of the reason statements.
• Recourse pathway registry. The current registry of available recourse pathways for each decision type, including review bodies, processes, deadlines, and accessibility options.
• Delivery confirmation records. Records demonstrating that notices were delivered within the required time window, including delivery channel, timestamp, and confirmation status.
• Quality assurance review records. Results of the quality assurance sampling programme, including the sample size, findings, and any corrective actions taken.
• Human review availability records. Evidence that human review was available as a recourse option for all adverse decisions, including records of human reviews conducted and their outcomes.

Retention requirements:

• Notice records and associated decision records: minimum 7 years for regulated financial services and public sector decisions; minimum 5 years for insurance and healthcare decisions; minimum 3 years otherwise. Where a specific statute of limitations applies to the decision type, retention must exceed the limitation period by at least 1 year.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. Individual notice records must be retrievable by affected party identifier, decision identifier, or date range. Evidence must exist as retained artefacts, not be reconstructable after the fact.

8. Test Specification

Test 8.1: Individualised Reason Statement Generation

• Stimulus: Submit 20 applications designed to trigger adverse decisions for different reasons (5 for factor A, 5 for factor B, 5 for factor C, 5 for combined factors). Collect the generated adverse action notices.
• Expected behaviour: Each notice contains a reason statement specific to the individual application, referencing the actual factors that drove the denial. Notices for factor A denials reference factor A; notices for factor B denials reference factor B.
• Pass criteria: 100% of notices contain individualised reason statements that correctly identify the principal adverse factors. No two notices for different factor groups contain identical reason text.
• Fail criteria: Any notice contains generic reason text that does not reference the specific adverse factors, or any notice misidentifies the principal factors.

Test 8.2: Mandatory Notice Field Completeness

• Stimulus: Generate 30 adverse action notices across at least 3 decision types. Inspect each notice for the presence of all mandatory fields: reason statement, principal factors, rights statement, recourse pathways, human review option, appeal deadline (if applicable), and delivery channel information.
• Expected behaviour: Every mandatory field is populated with non-generic, decision-specific content.
• Pass criteria: 100% of notices contain all mandatory fields. No mandatory field contains placeholder, null, or generic template text.
• Fail criteria: Any notice is missing a mandatory field, or any mandatory field contains generic template text (e.g., "[INSERT REASON HERE]", "See our website for details").

Test 8.3: Recourse Pathway Accuracy and Accessibility

• Stimulus: For each recourse pathway referenced in a sample of 20 adverse action notices, attempt to follow the pathway: access the stated URL or contact method, verify the stated deadline, and confirm that human review is available as stated.
• Expected behaviour: All stated recourse pathways are functional, accurate, and accessible. Human review is available through the stated mechanism.
• Pass criteria: 100% of recourse pathways are functional and accurate. Human review is available for every adverse decision. No dead links, disconnected phone numbers, or expired deadline references.
• Fail criteria: Any recourse pathway is non-functional, inaccurate, or inaccessible, or human review is not available as stated.

Test 8.4: Timeliness of Notice Delivery

• Stimulus: Trigger 15 adverse decisions (10 standard, 5 affecting immediate access to essential services). Record the timestamp of each adverse decision and the timestamp of notice delivery.
• Expected behaviour: Standard decision notices are delivered within 5 business days. Essential service decision notices are delivered within 24 hours.
• Pass criteria: 100% of standard notices delivered within 5 business days. 100% of essential service notices delivered within 24 hours. Delivery timestamps are recorded.
• Fail criteria: Any notice is delivered outside its applicable time window, or any delivery lacks a recorded timestamp.

Test 8.5: Notice Retention and Retrievability

• Stimulus: Request retrieval of adverse action notice records from 6 months prior, 12 months prior, and 24 months prior (where available). Request retrieval by affected party identifier, by decision identifier, and by date range.
• Expected behaviour: All requested records are retrievable through each retrieval method. Records include the full notice content, linked decision record, delivery confirmation, and timestamps.
• Pass criteria: All requested records are retrieved within 48 hours. Records include complete notice content and linked decision data. All three retrieval methods function correctly.
• Fail criteria: Any record is missing, incomplete, or unretractable through any of the three retrieval methods, or retrieval takes longer than 48 hours.

Test 8.6: Human Review Functionality

• Stimulus: For 5 adverse decisions, exercise the human review pathway stated in the adverse action notice. Submit a review request through the stated channel with supporting documentation. Track the review through to resolution.
• Expected behaviour: The review request is received and acknowledged. A human reviewer with authority to overturn the original decision reviews the case. The reviewer has access to the original decision reasoning. The review produces a reasoned outcome (uphold, modify, or overturn).
• Pass criteria: All 5 review requests are processed by a human reviewer with overturn authority. Reviews are completed within the stated timeline. Each review produces a documented, reasoned outcome.
• Fail criteria: Any review request is not processed, is processed by someone without overturn authority, or does not produce a documented outcome.

Test 8.7: Accessibility Compliance of Notices

• Stimulus: Generate adverse action notices and deliver them through each available channel (email, postal mail, in-app notification, chatbot). Test each channel against applicable accessibility standards: screen reader compatibility for digital channels, alternative format availability for postal mail, plain-language readability scoring.
• Expected behaviour: All digital notice channels meet WCAG 2.1 AA standards. Postal notices are available in alternative formats upon request. Readability scoring is at or below the target reading level (recommended: 8th grade / age 13-14 equivalent).
• Pass criteria: All digital channels pass WCAG 2.1 AA automated testing. At least one alternative format is available for postal notices. Readability scoring meets the target for 100% of notice templates.
• Fail criteria: Any digital channel fails WCAG 2.1 AA testing, or no alternative format is available for postal notices, or readability scoring exceeds the target.

Conformance Scoring

• Score 0: No adverse action notices are generated — adverse decisions are communicated as bare outcomes without reasons, factors, rights, or recourse pathways.
• Score 1: Adverse action notices are generated with some reason content, but notices are generic or template-driven without individualisation. Recourse pathways are mentioned but not verified for accuracy or accessibility. Delivery timeliness is not tracked. Human review availability is not guaranteed.
• Score 2: Individualised adverse action notices are generated for every adverse decision, with specific reason statements, verified recourse pathways including human review, tracked delivery within defined time windows, and quality assurance sampling. Notices are retained with linked decision records and are retrievable on demand.
• Score 3: Verified through independent audit — an independent party has validated notice quality, reason accuracy, recourse pathway functionality, accessibility compliance, and human review effectiveness. Counterfactual guidance is included where feasible. Multi-jurisdictional notice adaptation is implemented and tested. Continuous improvement is driven by appeal outcome analysis and comprehension testing.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 86 (Right to Explanation)	Direct requirement
EU AI Act	Article 68a (Individual Complaints)	Supports compliance
SOX	Section 404 (Internal Controls Over Financial Reporting)	Supports compliance
FCA SYSC	6.1.1R (Systems and Controls)	Supports compliance
FCA CONC	7.9 (Post-Contract: Arrears, Default and Recovery)	Direct requirement
NIST AI RMF	GOVERN 4.1, MAP 5.1	Supports compliance
ISO 42001	Clause 9.1 (Monitoring, Measurement, Analysis and Evaluation)	Supports compliance
DORA	Article 11 (Communication)	Supports compliance

EU AI Act — Article 86 (Right to Explanation)

Article 86 establishes that any person subject to a decision made by a high-risk AI system has the right to obtain clear and meaningful explanations of the role of the AI system in the decision-making procedure and the main elements of the decision. AG-453 operationalises this right by requiring individualised adverse action notices that state the specific reasons, principal factors, and recourse pathways for every adverse decision. Without AG-453's requirements, the Article 86 right exists in law but lacks a concrete delivery mechanism. The notice is the vehicle through which the right to explanation is exercised.

SOX — Section 404 (Internal Controls Over Financial Reporting)

For financial institutions subject to SOX, adverse action notices for credit and financial decisions are internal controls that must be documented, tested, and maintained. The notice generation system is an internal control — its failure to produce accurate, complete, timely notices is a control deficiency. SOX auditors will assess whether the notice generation system operates effectively across the full volume of adverse decisions and whether notice records are retained to support subsequent audit.

FCA SYSC — 6.1.1R and FCA CONC — 7.9

The FCA requires firms to treat customers fairly, which includes providing clear information about adverse decisions and meaningful access to challenge those decisions. FCA CONC 7.9 specifically addresses post-contract adverse actions in consumer credit, requiring firms to provide adequate information about the customer's rights when taking adverse action. An AI agent that generates adverse credit decisions without adequate notices fails both the general SYSC requirement for adequate systems and controls and the specific CONC requirement for post-contract communication.

NIST AI RMF — GOVERN 4.1, MAP 5.1

GOVERN 4.1 addresses organisational practices for transparent and accountable AI, which includes providing affected individuals with information about AI-driven decisions. MAP 5.1 addresses documentation of AI system impacts on individuals. AG-453 provides the operational mechanism for both: the adverse action notice documents the impact (the adverse decision) and provides transparency (the reasons and recourse).

ISO 42001 — Clause 9.1

ISO 42001 Clause 9.1 requires organisations to determine what needs to be monitored and measured in their AI management system. Adverse action notice quality — completeness, accuracy, timeliness, and accessibility — is a key measurement. AG-453's quality assurance sampling requirement directly supports the monitoring obligations of Clause 9.1.

DORA — Article 11 (Communication)

DORA Article 11 requires financial entities to have communication policies and procedures for responsible disclosure and communication related to ICT-related incidents. While DORA primarily addresses ICT incidents, adverse action notices for AI-driven financial decisions share the same governance requirement: structured, timely, accurate communication of adverse outcomes to affected parties with clear escalation and recourse pathways.

10. Failure Severity

Field	Value
Severity Rating	Critical
Blast Radius	Individual-to-population — each missing or inadequate notice harms one person, but systematic failure across thousands of decisions creates population-scale regulatory and legal exposure

Consequence chain: An AI agent issues an adverse decision without an adequate notice. The affected individual does not know why the decision was made, cannot assess whether it was correct, and has no clear path to challenge it. If the decision was wrong — and at scale, some will be — the individual has no mechanism for correction. This is the immediate harm: the individual bears the consequence of a potentially erroneous decision with no remedy. At scale, this compounds: 14,200 decisions per month with inadequate notices means 14,200 individuals per month denied their right to understand and challenge adverse outcomes. The regulatory exposure is severe: ECOA/Regulation B violations carry per-violation penalties; EU AI Act Article 86 creates individual rights of explanation; GDPR Article 22 creates rights around automated decision-making. Class action litigation becomes viable when systematic notice failures affect thousands of individuals with a common deficiency. The reputational damage is accelerated by social media — a single example of a person denied a benefit with no explanation can generate disproportionate public attention. The remediation cost is non-linear: retrospective notice generation requires reconstructing the decision reasoning for historical decisions, which may be impossible if the decision audit trail was not retained. The organisation may face the worst outcome: it must acknowledge that it made thousands of adverse decisions and cannot now explain why.

Cross-references: AG-449 (Audience-Specific Explanation Governance) ensures notices are adapted to the recipient's comprehension level. AG-451 (Plain-Language Duty Governance) ensures notice language meets plain-language standards. AG-450 (Decision Summary Provenance Governance) provides the decision reasoning artefacts from which notices are generated. AG-452 (Counterfactual Explanation Governance) provides the counterfactual analysis that supports the "what could change the outcome" guidance in notices. AG-454 (AI Interaction Notice Placement Governance) ensures the affected party knew they were interacting with an AI before the adverse decision. AG-424 (Notification Routing Governance) ensures notices are delivered through the correct channel. AG-019 (Human Escalation & Override Triggers) provides the human review mechanism referenced in recourse pathways. AG-016 (Data Retention & Right to Erasure) governs the retention and potential erasure of notice records and associated personal data.